Description |
This article describes how to implement SAML authentication for firewall policy which has VIP as the destination address. |
Scope |
FortiGate. |
Solution |
1) Configure virtual IP:
# config firewall vip edit "saml-vip" set extip 10.9.14.145 set mappedip "10.16.10.2" set extintf "any" next end
2) Configure the FortiGate SP to be a SAML user:
# config user saml edit "SAMLSP" set entity-id "https://10.9.14.145:1000/saml/metadata" set single-sign-on-url "https://10.9.14.145:1003/saml/login" set single-logout-url "https://10.9.14.145:1003/saml/logout" set idp-entity-id "http://10.10.10.10/saml-idp/aaaaaaaa/metadata/" set idp-single-sign-on-url "https://10.10.10.10/saml-idp/aaaaaaaa/login/" set idp-single-logout-url "https://10.10.10.10/saml-idp/aaaaaaaa/logout/" set idp-cert "REMOTE_Cert_1" set user-name "Username" set group-name “group” set digest-method sha1 next end
3) Add the SAML user to the user group. Optionally, it is possible to configure group matching:
# config user group edit "VIPgrp" set member "SAMLSP" next end
4) Add the SAML user group to a firewall policy:
# config firewall policy edit 0 set srcintf "port2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "saml-vip" set schedule "always" set service "ALL" set groups "VIPgrp" set auth-redirect-addr "10.9.14.143" next end
5) Configure IDP as needed.
To support SAML authentication in a firewall policy, FortiGate needs to redirect the request to an auth-portal. Since the default auth-portal cannot be applied to VIP, which is why SAML authentication cannot be triggered for VIP. The solution is to set auth-redirect-addr in the firewall policy to the IP address of its srcintf, which should be able to trigger SAML authentication for VIP policy. For this example, auth-redirect-addr is port2 interface IP address.
Once the above settings are configured, try to access the VIP external IP address from a web browser. An authentication prompt should be visible from the IDP.
Use the below command to confirm if the user is authenticated or not:
172.25.181.93, fortinet
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.