Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jaye17
Staff
Staff

Created on ‎10-24-2025 07:57 AM

Article Id 416472

Technical Tip: Internet firewall policy using SAML authentication for multiple subnets using loopback interface with FortiAuthenticator as identity provider

Description

This article describes the configuration of firewall policy using SAML authentication for outbound internet access for multiple network segments using a loopback interface on FortiGate. The Identity Provider (IdP) is FortiAuthenticator, using local users.
Scope FortiGate v7.0+ as SAML Service Provider (SP). FortiAuthenticator as SAML IdP.
Solution

SAML authentication can be used to authenticate users in a firewall policy for outbound internet access. For multiple network segments, instead of creating individual SAML configurations on FortiGate for each network interface acting as SAML SP, loopback can be used to redirect authentication requests from multiple network segments.

 

The following information is used in this article.

 

  • port 4 subnet: 10.38.10.0/24 
  • port 5 subnet: 10.38.11.0/24
  • Loopback IP, interface name 'SAML-SP-AUTH': 10.20.30.1
  • FortiAuthenticator: 10.9.10.186

 

Configuring users and SAML on FortiAuthenticator:

 

To configure local users on FortiAuthenticator, refer to Configuring local user on FortiAuthenticator - FortiAuthenticator cookbook.

 

To configure SAML, navigate to Authentication -> SAML IdP -> General. Input the server address and login session lifetime (default value is 480 minutes). To understand SAML session timeout, refer to Technical Tip: Significance of auth timeout and login session timeout when FortiAuthenticator acting....

 

Download the IdP certificate. The certificate must be imported to FortiGate as a remote certificate.

 

Navigate to 'Service Providers' to add SP identity ID and single sign-on URLs. Refer to Configure SAML settings on FortiAuthenticator.

 

24-1.png

 

Configuration on FortiGate.

 

 

  1. Import the IdP certificate to FortiGate as 'Remote Certificate'.

  2. Create the single sign-on server on FortiGate. This can be configured in both the GUI and CLI.

 

 

24-2.png

 

config user saml

    edit "SAML-OUTBOUND"

        set cert "Fortinet_CA_SSL"

        set entity-id "https://10.20.30.1:1003/remote/saml/metadata/"

        set single-sign-on-url "https://10.20.30.1:1003/remote/saml/login"

        set single-logout-url "https://10.20.30.1:1003/remote/saml/logout"

        set idp-entity-id "http://10.9.10.186/saml-idp/ztna/metadata/"

        set idp-single-sign-on-url "https://10.9.10.186/saml-idp/ztna/login/"

        set idp-single-logout-url "https://10.9.10.186/saml-idp/ztna/logout/"

        set idp-cert "REMOTE_Cert_3"

        set user-name "username"

        set digest-method sha1

    next

end

 

 

  1. Create user group and add the SAML server.

 

 

24-3.png

 

config user group

    edit "SAML-OUTBOUND"

        set member "SAML-OUTBOUND"

    next

 

 

  1. Configure the loopback interface which will be used as SAML SP.

 

 

config system interface

    edit "SAML-SP-AUTH"

        set ip 10.20.30.1 255.255.255.255

        set type loopback

        set role lan

    next

end

 

 

  1. Configure the firewall policy for internet access. User group must be added to trigger authentication.

 

 

Network segments: port 4 (10.38.10.0/24) port 5 (10.38.11.0/24).

 

24-4.png

 

config firewall policy

    edit 25

        set name "LAN-Internet"

        set srcintf "port4" "port5"

        set dstintf "port2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set logtraffic all

        set nat enable

        set groups "SAML-OUTBOUND"

    next

end

 

 

  1. Create the policy to allow traffic from network segment inbound ports towards the loopback interface.

 

24-5.png

 

config firewall policy

    edit 38

        set name "Loopback"

       set srcintf "port4" "port5"

        set dstintf "SAML-SP-AUTH"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

    next

end

 

  1. To enable authentication on the loopback interface, create a firewall policy sourced from the loopback interface back to the network segment ports.

24-6.png

 

config firewall policy

    edit 36

        set name "LoOAuth"

        set uuid 39e06146-ac63-51f0-d773-7bdc563c0530

        set srcintf "SAML-SP-AUTH"

        set dstintf "port4" "port5"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set groups "SAML-OUTBOUND"

    next

end

 

  1. To allow traffic to FortiAuthenticator (in this setup, FortiAuthenticator is not behind the FortiGate), configure a firewall policy above the configured policies without adding any groups in the source field.

 24-7.png

 

config firewall policy

    edit 37

        set name "FAC-AUTH"

        set srcintf "port4" "port5"

        set dstintf "port2"

        set action accept

        set srcaddr "all"

        set dstaddr "FAC-10.9.10.186"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set logtraffic all

        set nat enable

    next

end

 

Testing authentication workflow from the two network segments.

 

On a user browser, access any website. The user is redirected to FortiAuthenticator SAML login page. Supply the credentials.

 

Scenario 1: Port 4 subnet 10.38.10.0/24.

 

24-8.png

 

On the FortiGate, the authentication request is sent from port 4 to the loopback interface.

 

diag sniffer packet any 'port 1003' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[port 1003]

2025-10-24 08:49:05.479700 port4 in 10.38.10.2.6184 -> 10.20.30.1.1003: syn 3160066626

2025-10-24 08:49:05.479857 port4 out 10.20.30.1.1003 -> 10.38.10.2.6184: syn 1451260082 ack 3160066627

2025-10-24 08:49:05.479876 port4 in 10.38.10.2.6185 -> 10.20.30.1.1003: syn 3118826819

 

Scenario 1: Port 5 subnet 10.38.11.0/24.

 

24-9.png

 

On the FortiGate, authentication request is sent from port 5 to the loopback interface.

 

diag sniffer packet any 'port 1003' 4 0 l

Using Original Sniffing Mode

interfaces=[any]

filters=[port 1003]

 

2025-10-24 08:52:51.218590 port5 in 10.38.11.2.58970 -> 10.38.11.1.1003: syn 1295171139

2025-10-24 08:52:51.218707 port5 out 10.38.11.1.1003 -> 10.38.11.2.58970: syn 4160545097 ack 1295171140

2025-10-24 08:52:51.219045 port5 in 10.38.11.2.58970 -> 10.38.11.1.1003: ack 4160545098

 

After successful authentication, the user can browse the internet.

 

Related articles:

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP | Fortinet Document Library

Technical Tip: SAML Authentication for Outbound Firewall Policy with Google Suite as IdP
124
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.