FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pgautam
Staff
Staff
Article Id 253300
Description This article describes that when an outbound firewall authentication is configured using the SAML Azure IDP, it directly redirects to the Microsoft login page.
Scope FortiGate, Captive portal, SAML.
Solution

Example:

 

FortiGate SAML configuration:

 

config user saml
    edit "SAML_Auth"
        set entity-id "http://10.201.4.1:1003/remote/saml/metadata/"
        set single-sign-on-url "https://10.201.4.1:1003/remote/saml/login/"
        set single-logout-url "https://10.201.4.1:1003/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/55822b01-86f6-457c-b3f9-7544a45bb192/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-cert "REMOTE_Cert_3"
        set user-name "name"
        set group-name "group"
        set digest-method sha1
    next
end

 

config user group

    edit "SAML_Auth"
        set member "SAML_Auth"
    next

 

config firewall policy

    edit 11
        set name "Azure" <----- This policy will allow MS connectivity for the Authentication.
        set uuid c0f5d968-e019-51ed-5236-b6dc3ba0b637
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set internet-service-name "Microsoft-Azure"
        set schedule "always"
        set logtraffic all
        set nat enable
        set comments " (Copy of internet_Windows_Server)"

        set captive-portal-exempt enable <-- This is to ensure that traffic to Microsoft for SAML authentication will not be subjected to a captive portal check
    next
    edit 10
        set name "internet_Windows_Server"
        set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "SAML_Auth" <----- SAML user group.
        set users "PHOTON-BB"
    next

end

 

When the user tries to access the internet it will redirect to the Microsoft login.

 

MS login page.PNG

 

 To see the Captive portal page with the SAML option create a dummy local user group:

 

config user group

    edit "Captive_portal"
        set member "Captive_portal"
    next

 

config firewall policy
    edit 10
        set name "internet_Windows_Server"
        set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "SAML_Auth" "Captive_portal" <----- Local dummy group and SAML group.
    next
end

 

After adding a local group when the user tries to access the captive portal page with the SAML login option will be visible:

 

Captiveportal page.PNG

 

Select SAML Identity Provider to use the SAML login. to have a user local user login, then select continue:

 

To configure SAML with Azure IDP use the below-related documents:

Outbound firewall authentication with Azure AD as a SAML IdP

Troubleshooting Tip: How to troubleshoot SAML authentication