| Description | This article describes how to configure SSL VPN tunnel and web mode on FortiGate using Cisco DUO as the SAML IdP. | ||||||
| Scope | FortiGate | ||||||
| Solution |
Cisco DUO Configuration.
1) Verify that DUO has a successful connection to an authentication server, for example an active directory as below:
2) Configure the 'Transport type' as required:
3) Once configuration is completed, click on 'Run Test' to verify the connection to Active Directory is successful as shown below:
2) Navigate to 'Applications' and choose 'Generic SAML Service Provider', then click 'Protect':
3) After clicking Protect a new page will display the IdP metadata, certificate fingerprints and the certificate. This certificate is the IdP certificate which should be imported to the FortiGate SAML configuration.
a. Either download the SAML Metadata and import it to the FortiGate GUI, applies to FortiOS 7.0.2 and above. Or copy and paste each URL if configuring the FortiGate via CLI for FortiOS 7.0.1 and below.
Download the certificate which is the IdP certificate and must be imported to the FortiGate SAML configuration.
b. Paste the Service Provider URLs obtained from FortiGate configuration step 2, to DUO, as below:
Please note the Assertion Consumer Service (ACS) is the same as the Service Provider Login URL
c. 'Signature algorithm' and 'Map attributes' must match the same configuration applied to FortiGate, in FortiGate configuration section step 2 d.
d. Save the configuration
FortiGate Configuration
1) Import the IdP certificate to FortiGate -> System -> Certificates -> Import -> Remote Certificate and upload the downloaded certificate from DUO in step 3 a.
Once uploaded the certificate will be displayed in FortiGate Certificate store as 'Remote-Cert_1'.
2) Configure SAML using the below set of commands: In this step, configure the following:
a. Set the certificate as the built in Fortinet_Factory certificate.
b. Paste the Metadata URLs from DUO config in step 3 a. respectively.
c. Select the Remote_Cert_1 as the idp-cert which was imported in FortiGate configuration section, step 1.
d. Configure the 'user-name' and 'group-name' to match the DUO configuration section step 3 c.
e. Configure the digest-method to match the Signature algorithm of DUO configuration section step 3 c.
# config user saml edit "saml_test" set cert " Fortinet_Factory" set entity-id "https://<IP-or-FQDN:443>/remote/saml/metadata/" set single-sign-on-url "https://<IP-or-FQDN:443>/remote/saml/login/" set single-logout-url "https://<IP-or-FQDN:443>/remote/saml/logout/" set idp-entity-id "<DUO-Entity-ID-URL >" set idp-single-sign-on-url "<DUO-Single-Sign-On-URL>" set idp-single-logout-url "<DUO-Single-Log-Out-URL>" set idp-cert "REMOTE_Cert_1" set user-name "Username" set group-name "Group" set digest-method sha1 next end
(Optional): To retrieve AD groups, you need to use the MemberOf attribute instead of Groups.
# config user saml edit "saml_test" set group-name "memberOf" end
3) Configure a user group and add 'saml_test' as a remote group member.
- From FortiGate GUI:
- From FortiGate CLI:
# config user group edit "saml_grp" set member "saml_test" next end
4) Add the SAML User group to SSL VPN setting to match the desired portal.
6) Use either FortiClient SSL VPN connection or SSL VPN web to test the connection is successful, FortiClient or web mode should redirect to authenticate via DUO SAML portal for authentication.
Troubleshooting
Refer to the below set of commands for troubleshooting:
# diag debug app sslvpn -1 # diag debug app saml -1 # diag debug app fnbamd -1 # diag de enable
Related links:
|
||||||
|
|
