Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN

Description

This article describes how to configure Dial-up IPsec VPN with Microsoft Entra ID SAML authentication.

Scope

FortiGate v7.2.0 or later and FortiClient v7.2.4 or later.

Solution

FortClient v7.2.4 or later is supports SAML with Dial-up IPsec VPN only with IKEv2.

The below steps show how to create a Dial-up IPsec VPN with Microsoft Entra ID (formerly known as Azure AD) SAML.

1. Configure the auth-ike-saml-port under in the FortiGate as shown below:

config sys global
    set auth-ike-saml-port 9443
end

2. Configure the VPN certificate under user setting:

config user setting
    set auth-cert "Fortinet_Factory"
end

3. Configure SAML on the FortiGate and use the customer port in the address field:

4. Create an Enterprise application in Microsoft Entra ID. Follow the below guide to create this enterprise application: Configuring SAML SSO login for FortiGate ... - Fortinet Community

5. The Service provider configuration from Step 3 should be populated in the SAML Application in Azure as shown in the below screenshots:

6. Identity provider configuration from Azure should be populated in the SAML configuration on the FortiGate as shown below:

7. SAML configuration on the FortiGate should look like this:

config user saml
    edit "entra-id-saml"
        set cert "Fortinet_Factory"
        set entity-id http://10.21.7.128:9443/remote/saml/metadata/
        set single-sign-on-url https://10.21.7.128:9443/remote/saml/login
        set single-logout-url https://10.21.7.128:9443/remote/saml/logout
        set idp-entity-id https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/
        set idp-single-sign-on-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
        set idp-single-logout-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next
end

8. Configure ike-saml-server under the listening interface:

config system interface
    edit "port2"
        set ike-saml-server "entra-id-saml"
    next
end

9. Configure user group with the SAML server:

config user group
    edit "ike-saml"
        set member "entra-id-saml"
    next
end 

10. Configure Dial-up IPsec VPN:

config vpn ipsec phase1-interface
    edit "saml-vpn"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set authusrgrp "ike-saml"
        set ipv4-start-ip 10.1.1.1
        set ipv4-end-ip 10.1.1.254
        set dns-mode auto
        set psksecret ENC CmD7ySUqMXY6GCRYGsxQr7FQ8HY2H40+g0Ywimpcxlqgi4m7sYX4ws5d+eMM0YziovFdilnwJP/k5bM/Tdcomj4d2u/umne03oq71aekERi4xOUcJk+yh1KKgmgoA2ek9EX8L6egnByAFqynQIIzufV0bwKz+1DiXl+T3A3MiZ+cA7ePRL5WeAgUXP4wfEx+4FEoKQ==
        set dpd-retryinterval 60
    next
end

On the client machine, Configure IPsec VPN with SSO for VPN tunnel enabled and customize the port as set in step 1:

If an untrusted certificate is used in Step 2, FortiClient will show this warning:

Users can now log in using Entra ID SAML to the Dial-up IPsec VPN.