Description

This article describes how to configure AD-FS SAML authentication for Dial-up IPsec VPN.

Scope

FortiGate v7.2.0 or later and FortiClient v7.2.4 or later.

Solution

FortiClient v7.2.4 or later supports SAML authentication for Dial-up IPsec VPN users when IKEv2 is in use.

The first step is to download the ADFS Token signing certificate, access ADFS from Server Manager -> Tools -> AD FS Management, and navigate to AD FS -> Certificates.

'Right-click' on the Token-signing certificate and select View Certificate.

Select the details tab and select Copy to File, then save it.

Import this certificate into FortiGate by navigating to System -> Certificates:

• Select Create/Import and then select Remote Certificate.
• Select the AD FS Token signing certificate and select OK.
  
  

Configuration on FortiGate:

1. Configure the auth-ike-saml-port as shown below:
   
   

config sys global
    set auth-ike-saml-port 9443
end

2. Configure the VPN certificate:
   
   

config user setting
    set auth-cert "Fortinet_Factory"
end

3. Configure SAML on the FortiGate and use the custom port in the address field:
   
   

config user saml

edit "saml-adfs"

set cert "homegate.abc.xyz"

set entity-id "http://homegate.abc.xyz:9443/remote/saml/metadata/"

set single-sign-on-url "https://homegate.abc.xyz:9443/remote/saml/login"

set single-logout-url "https://homegate.abc.xyz:9443/remote/saml/logout"

set idp-entity-id "http://adfs.abc.xyz/adfs/services/trust"

set idp-single-sign-on-url "https://adfs.abc.xyz/adfs/ls"

set idp-single-logout-url "https://adfs.abc.xyz/adfs/ls?wa=wsignout1.0"

set idp-cert "REMOTE_Cert_5"

set user-name "username"

set group-name "Group"

set digest-method sha1

next

end

4. Configure ike-saml-server on the network interface that listens for SAML communications:

config system interface
    edit "vlan_20"
        set ike-saml-server "saml-adfs"
    next
end

5. Configure SAML user group:
   
   

config user group
    edit "ike-saml-auth"
        set member "saml-adfs"
    next
end 

7. Configure IPsec VPN:

config vpn ipsec phase1-interface

edit "saml_vpn"

set type dynamic

set interface "vlan_20"

set ike-version 2

set peertype any

set net-device disable

set mode-cfg enable

set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

set dpd on-idle

set dhgrp 5

set eap enable

set eap-identity send-request

set authusrgrp "ike-saml-auth"

set ipv4-start-ip 192.168.255.1

set ipv4-end-ip 192.168.255.255

set dns-mode auto

set psksecret ENC xxxxxxxxxxxx

set dpd-retryinterval 60

next
end

config vpn ipsec phase2-interface
    edit "saml_vpn"
        set phase1name "saml_vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

8. Configure firewall policy:

config firewall policy

    edit 0
        set name "saml-vpn"
        set srcintf "saml_vpn"
        set dstintf "vlan_20"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Note:

Configure the user group either in the firewall policy or in the Phase 1 VPN settings (authusrgrp), but not both.

Configuration on ADFS:

Open ADFS from Server Manager -> Tools -> AD FS Management and navigate to Relying Party Trusts. 'Right-click' on it and select Add Relying Party Trust.

In the Add Relying Party Trust Wizard, select Claims aware as shown in the screenshot below:

Under Select Data Source, choose Enter data about the relying party manually:

Under Configure Certificate, add the SP certificate used in the SAML configuration on FortiGate:

Under Configure URL, add SP’s single-sign-on-url:

Under Configure Identifiers, add SP’s entity-id url.

In the end, select 'configure claims issuance policy for this application'.

Now, under the claim issue policy, add the following rule:

'Right-click' on the newly added relying party and select properties.

Under the Endpoints tab, add the single-logout-url as shown below:

Under the Signature tab, add the SP certificate.

Under the Advanced tab, change the secure hash algorithm to SHA1.

Test ADFS SAML authentication:

Users can now successfully log in to the Dial-up IPsec VPN.

Note:
FortiClient's free version on MacOS did not support IKEv2. This will require an EMS license for FortiClient v7.2.3 and above. For more information, refer to: Technical Tip: FortiClient Mac does not support IKE v2 in IPsec

Troubleshooting:

Execute the following commands to enable debugging on the FortiGate, then reproduce the issue if there is one:

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application saml -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

Note:

Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1, FortiClient versions 7.2.5 and 7.4.1 for Mac and Windows, and FortiClient version 7.4.3 for Linux.