Description
This article describes how to configure AD-FS SAML authentication for Dial-up IPsec VPN.
Scope
FortiGate v7.2.0 or later and FortiClient v7.2.4 or later.
Solution
FortiClient v7.2.4 or later supports SAML authentication for Dial-up IPsec VPN users when IKEv2 is in use.
The first step is to download the ADFS Token signing certificate, access ADFS from Server Manager -> Tools -> AD FS Management, and navigate to AD FS -> Certificates.
'Right-click' on the Token-signing certificate and select View Certificate.
Select the details tab and select Copy to File, then save it.
Import this certificate into FortiGate by navigating to System -> Certificates:
- Select Create/Import and then select Remote Certificate.
- Select the AD FS Token signing certificate and select OK.
Configuration on FortiGate:
- Configure the auth-ike-saml-port as shown below:
config sys global
set auth-ike-saml-port 9443
end
- Configure the VPN certificate:
config user setting
set auth-cert "Fortinet_Factory"
end
- Configure SAML on the FortiGate and use the custom port in the address field:
config user saml
edit "saml-adfs"
set cert "homegate.abc.xyz"
set entity-id "http://homegate.abc.xyz:9443/remote/saml/metadata/"
set single-sign-on-url "https://homegate.abc.xyz:9443/remote/saml/login"
set single-logout-url "https://homegate.abc.xyz:9443/remote/saml/logout"
set idp-entity-id "http://adfs.abc.xyz/adfs/services/trust"
set idp-single-sign-on-url "https://adfs.abc.xyz/adfs/ls"
set idp-single-logout-url "https://adfs.abc.xyz/adfs/ls?wa=wsignout1.0"
set idp-cert "REMOTE_Cert_5"
set user-name "username"
set group-name "Group"
set digest-method sha1
next
end
- Configure ike-saml-server on the network interface which listens for SAML communications:
config system interface
edit "vlan_20"
set ike-saml-server "saml-adfs"
next
end
- Configure SAML user group:
config user group
edit "ike-saml-auth"
set member "saml-adfs"
next
end
- Configure IPsec VPN:
config vpn ipsec phase1-interface
edit "saml_vpn"
set type dynamic
set interface "vlan_20"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "ike-saml-auth"
set ipv4-start-ip 192.168.255.1
set ipv4-end-ip 192.168.255.255
set dns-mode auto
set psksecret ENC xxxxxxxxxxxx
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "saml_vpn"
set phase1name "saml_vpn"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end - Configure firewall policy:
config firewall policy
edit 0
set name "saml-vpn"
set srcintf "saml_vpn"
set dstintf "vlan_20"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
Configuration on ADFS:
Open ADFS from Server Manager -> Tools -> AD FS Management and navigate to Relying Party Trusts. 'Right-click' on it and select Add Relying Party Trust.
In the Add Relying Party Trust Wizard, select Claims aware as shown in the below screenshot:
Under Select Data Source, choose Enter data about the relying party manually:
Under Configure Certificate, add the SP certificate used in the SAML configuration on FortiGate:
Under Configure URL, add SP’s single-sign-on-url:
Under Configure Identifiers, add SP’s entity-id url.
In the end, select 'configure claims issuance policy for this application'.
Now, under the claim issue policy, add the following rule:
'Right-click' on the newly added relying party and select properties.
Under the Endpoints tab, add the single-logout-url as shown below:
Under the Signature tab, add the SP certificate.
Under the Advanced tab, change the secure hash algorithm to SHA1.
Test ADFS SAML authentication:
