Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
New Contributor III

Created on ‎01-23-2023 06:38 AM

Article Id 243639

Technical Tip: How to configure SAML authentication for firewall policy with Virtual IP (VIP)

 

Description

This article describes how to implement SAML authentication for firewall policy which has VIP as the destination address.
Scope

FortiGate.
Solution aishaqui_2-1674484151805.png

 

1)  Configure virtual IP:

 

# config firewall vip

    edit "saml-vip"

        set extip 10.9.14.145

        set mappedip "10.16.10.2"

        set extintf "any"

    next

end

 

2) Configure the FortiGate SP to be a SAML user:

 

# config user saml

    edit "SAMLSP"

        set entity-id "https://10.9.14.145:1000/saml/metadata"

        set single-sign-on-url "https://10.9.14.145:1003/saml/login"

        set single-logout-url "https://10.9.14.145:1003/saml/logout"

        set idp-entity-id "http://10.10.10.10/saml-idp/aaaaaaaa/metadata/"

        set idp-single-sign-on-url "https://10.10.10.10/saml-idp/aaaaaaaa/login/"

        set idp-single-logout-url "https://10.10.10.10/saml-idp/aaaaaaaa/logout/"

        set idp-cert "REMOTE_Cert_1"

        set user-name "Username"

        set group-name “group”

        set digest-method sha1

    next

end

 

3) Add the SAML user to the user group. Optionally, it is possible to configure group matching:

 

# config user group

    edit "VIPgrp"

        set member "SAMLSP"

    next

end

 

4) Add the SAML user group to a firewall policy:

 

# config firewall policy

    edit 0

        set srcintf "port2"

        set dstintf "port3"

        set action accept

        set srcaddr "all"

        set dstaddr "saml-vip"

        set schedule "always"

        set service "ALL"

        set groups "VIPgrp"

        set auth-redirect-addr "10.9.14.143"

    next

end

 

5) Configure IDP as needed.

 

To support SAML authentication in a firewall policy, FortiGate needs to redirect the request to an auth-portal. Since the default auth-portal cannot be applied to VIP, which is why SAML authentication cannot be triggered for VIP.

The solution is to set auth-redirect-addr in the firewall policy to the IP address of its srcintf, which should be able to trigger SAML authentication for VIP policy.

 For this example, auth-redirect-addr is port2 interface IP address.

 

Once the above settings are configured, try to access the VIP external IP address from a web browser.

An authentication prompt should be visible from the IDP.

 

aishaqui_1-1674484002960.png

 

Use the below command to confirm if the user is authenticated or not:


# diagnose firewall auth list

172.25.181.93, fortinet
type: fw, id: 0, duration: 57, idled: 2
expire: 298, allow-idle: 300
server: SAMLSP
packets: in 30 out 28, bytes: in 1603 out 1456
group_id: 4
group_name: VIPgrp


Run below commands to debug the SAML authentication:


# diagnose debug application samld -1
# diagnose debug enable

 

Labels:
5995
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.