This article describes how to configure Dial-up IPsec VPN with Microsoft Entra ID SAML authentication.
FortiGate v7.2.0 or later and FortiClient v7.2.4 or later.
FortClient v7.2.4 or later is supports SAML with Dial-up IPsec VPN only with IKEv2.
The below steps show how to create a Dial-up IPsec VPN with Microsoft Entra ID (formerly known as Azure AD) SAML.
config sys global
set auth-ike-saml-port 9443
end
config user setting
set auth-cert "Fortinet_Factory"
end
config user saml
edit "entra-id-saml"
set cert "Fortinet_Factory"
set entity-id http://10.21.7.128:9443/remote/saml/metadata/
set single-sign-on-url https://10.21.7.128:9443/remote/saml/login
set single-logout-url https://10.21.7.128:9443/remote/saml/logout
set idp-entity-id https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/
set idp-single-sign-on-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
set idp-single-logout-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
config system interface
edit "port2"
set ike-saml-server "entra-id-saml"
next
end
config user group
edit "ike-saml"
set member "entra-id-saml"
next
end
config vpn ipsec phase1-interface
edit "saml-vpn"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set eap enable
set eap-identity send-request
set authusrgrp "ike-saml"
set ipv4-start-ip 10.1.1.1
set ipv4-end-ip 10.1.1.254
set dns-mode auto
set psksecret ENC CmD7ySUqMXY6GCRYGsxQr7FQ8HY2H40+g0Ywimpcxlqgi4m7sYX4ws5d+eMM0YziovFdilnwJP/k5bM/Tdcomj4d2u/umne03oq71aekERi4xOUcJk+yh1KKgmgoA2ek9EX8L6egnByAFqynQIIzufV0bwKz+1DiXl+T3A3MiZ+cA7ePRL5WeAgUXP4wfEx+4FEoKQ==
set dpd-retryinterval 60
next
end
On the client machine, Configure IPsec VPN with SSO for VPN tunnel enabled and customize the port as set in step 1:
If an untrusted certificate is used in Step 2, FortiClient will show this warning:
Users can now log in using Entra ID SAML to the Dial-up IPsec VPN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.