Cisco DUO Configuration:

1. Verify that DUO has a successful connection to an authentication server, for example, an Active Directory as below:

2. Configure the 'Transport type' as required:

3. Once the configuration is completed, select 'Run Test' to verify that the connection to Active Directory is successful, as shown below:

4. Navigate to 'Applications' and choose 'Generic SAML Service Provider', then select 'Protect':

5. After selecting Protect a new page will display the IdP metadata, certificate fingerprints, and the certificate. This certificate is the IdP certificate which should be imported to the FortiGate SAML configuration.

• Either download the SAML Metadata and import it to the FortiGate GUI, which applies to v7.0.2 and above or copy and paste each URL if configuring the FortiGate via CLI for v7.0.1 and below.
• Download the certificate, which is the IdP certificate, and must be imported to the FortiGate SAML configuration.

• Paste the Service Provider URLs obtained from FortiGate configuration step 2, to DUO, as below:Notethat  the Assertion Consumer Service (ACS) is the same as the Service Provider Login URL
• 'Signature algorithm' and 'Map attributes' must match the same configuration applied to FortiGate, in FortiGate configuration section, step 2. (The SAML attributes must be configured as the FortiGate will look for these attributes to verify authentication attempts.)

• Save the configuration

FortiGate Configuration:

1. Import the IdP certificate to FortiGate -> System -> Certificates -> Import -> Remote Certificate and upload the downloaded certificate from DUO in step 3. Once uploaded the certificate will be displayed in FortiGate Certificate store as 'Remote-Cert_1'.
2. Configure SAML using the following set of commands. In this step, configure the following:

• Set the certificate as the built-in Fortinet_Factory certificate.
• Paste the Metadata URLs from DUO config in step 3, respectively.
• Select the Remote_Cert_1 as the idp-cert, which was imported inthe  FortiGate configuration section, step 1.
• Configure the 'user-name' and 'group-name' to match the DUO configuration section, step 3.

Configure the digest-method to match the Signature algorithm of the DUO configuration section,n step 3.

config user saml

    edit "saml_test"

        set cert " Fortinet_Factory"

        set entity-id "https://<IP-or-FQDN:443>/remote/saml/metadata/"

        set single-sign-on-url "https://<IP-or-FQDN:443>/remote/saml/login/"

        set single-logout-url "https://<IP-or-FQDN:443>/remote/saml/logout/"

        set idp-entity-id "<DUO-Entity-ID-URL >"

        set idp-single-sign-on-url "<DUO-Single-Sign-On-URL>"

        set idp-single-logout-url "<DUO-Single-Log-Out-URL>"

        set idp-cert "REMOTE_Cert_1"

        set user-name "Username"

        set group-name "Group"

        set digest-method sha1

    next

end

Optional:

To retrieve AD groups, use the MemberOf attribute instead of Groups. This attribute returns the bind DN of the groups.

config user saml

    edit "saml_test"

       set group-name "memberOf"

    end

Note:

When mapping any specific group, remember that for Cisco DUO, it will only take the 'Fortinet Group Name' and not the Duo Group name or AD group name. The snippet below is from Cisco DUO:

The specific option on the FortiGate should be mapped to 'example_group' and not 'duo_group'.

3. Configure a user group and add 'saml_test' as a remote group member.

From FortiGate GUI:

1. Go under User & Authentication ->User Groups -> Create New
2. Enter a name, for example, 'saml_grp' -> type 'firewall' -> Add 'saml_test' in the Remote Group section, then select ' OK'.

From FortiGate CLI:

config user group   

    edit "saml_grp"       

        set member "saml_test"   

        next

    end

4. Add the SAML User group to the SSL VPN setting to match the desired portal:

• Go under VPN -> SSL-VPN Settings.
• In the 'Authentication/Portal Mapping' table, select 'Create New'.
• For 'Users/Groups', click the '+' and select 'saml_grp'.
• Select the 'Portal (testportal1)' which can have both tunnel and web modes enabled.

5.  Configure the firewall policy:

• Go to Policy & Objects -> Firewall Policy and select 'Create New'.
• Enter the following: configured portx as required outgoing interface.

• Configure the other settings as needed.
• Select 'OK'.

6. Use either FortiClient SSL VPN connection or SSL VPN web to test the connection is successful, FortiClient or web mode should redirect to authenticate via DUO SAML portal for authentication.

Troubleshooting

Refer to the below set of commands for troubleshooting:

diagnose debug app sslvpn -1

diagnose debug app saml -1

diagnose debug app fnbamd -1

diagnose de enable

Related documents:

Configuring SAML SSO in the GUI 7.0.2

Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP