This article describes how to implement SAML authentication for firewall policy which has VIP as the destination address.
1) Configure virtual IP:
# config firewall vip
set extip 10.9.14.145
set mappedip "10.16.10.2"
set extintf "any"
2) Configure the FortiGate SP to be a SAML user:
# config user saml
set entity-id "https://10.9.14.145:1000/saml/metadata"
set single-sign-on-url "https://10.9.14.145:1003/saml/login"
set single-logout-url "https://10.9.14.145:1003/saml/logout"
set idp-entity-id "http://10.10.10.10/saml-idp/aaaaaaaa/metadata/"
set idp-single-sign-on-url "https://10.10.10.10/saml-idp/aaaaaaaa/login/"
set idp-single-logout-url "https://10.10.10.10/saml-idp/aaaaaaaa/logout/"
set idp-cert "REMOTE_Cert_1"
set user-name "Username"
set group-name “group”
set digest-method sha1
3) Add the SAML user to the user group. Optionally, it is possible to configure group matching:
# config user group
set member "SAMLSP"
4) Add the SAML user group to a firewall policy:
# config firewall policy
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "saml-vip"
set schedule "always"
set service "ALL"
set groups "VIPgrp"
set auth-redirect-addr "10.9.14.143"
5) Configure IDP as needed.
To support SAML authentication in a firewall policy, FortiGate needs to redirect the request to an auth-portal. Since the default auth-portal cannot be applied to VIP, which is why SAML authentication cannot be triggered for VIP.
The solution is to set auth-redirect-addr in the firewall policy to the IP address of its srcintf, which should be able to trigger SAML authentication for VIP policy.
For this example, auth-redirect-addr is port2 interface IP address.
Once the above settings are configured, try to access the VIP external IP address from a web browser.
An authentication prompt should be visible from the IDP.
Use the below command to confirm if the user is authenticated or not: