Description

 

This article describes configuration how to leverage SAML authentication for IPv6 forward firewall policies.
The configuration example provided encompasses Microsoft Azure application configuration with multiple groups.

 

Scope

 

FortiGate 7.0+, IPv6 network, and Microsoft Azure as SAML IdP.

 

Solution

 

SAML authentication is immensely deployed in FortiGate's SSL VPN and Administration.
Starting with FortiOS 7.0, it is possible to authenticate users for forward traffic in firewall policies and proxy traffic in explicit and transparent proxy features.

This document will focus on IPv6 outbound firewall policies with Microsoft Azure as SAML IdP. Additionally, multiple-group scenarios will be described to allow for more granular control for UTM Security Profiles applied to users based on their group membership.

Example Environment:

Client IPv6: 2600:5000:9830:200::30
FortiGate LAN Interface IPv6 (port6): 2600:5000:9830:200::15
IPv6 Captive Portal FQDN: ipv6-saml-portal.colombas.lab
DNS Server IPv6: 2600:5000:9830:200::10
User development@robertao.me is member of Azure group "Development Group"
User sales@robertao.me is member of Azure group "Sales Group"
SAML SP: FortiGate
SAML IdP: Microsoft Azure

Configuration for Microsoft Azure SAML Application.

Note.

This configuration assumes users and groups are already created in Azure. Some steps are performed concurrently on the FortiGate

1) Create a non-gallery application as per below and define a name for it: 

 

2) Once the application has been deployed, select it and assign users and groups as desired:

 

Note.
Depending on the Azure AD plan, groups cannot be directly assigned to the SAM application, and users will have to be individually assigned.
However, group membership can still be used for SAML Assertions; therefore, the multiple-group scenarios can be configured in FortiGate.

 

 

3) Make a note of the group Object ID that can be used for group matching in FortiGate:

 

 

4) Configure the SSO URL's for the SAML Application newly created:

 

 

Reply URL (Assertion Consumer Service URL) will contain the FQDN and port of the FortiGate Captive portal.

By default, the captive portal IPv6 address will be the FortiGate Interface IPv6 which clients sent web requests.

Since Azure nor FortiGate supports IPv6 address syntax, FQDN must be used.

Additionally, the default Captive portal for HTTPS connection is 1003.

# config system global
    set auth-https-port 1003

 

5) Configure the Attribute and Claims for the SAML Application newly created:

 

 

 

Username claim is mandatory, but group claim is optional.

However, the claim name must match with 'user-name' and group-name' attributes/claims configured in FortiGate.

Note.

 

Claim names are case-sensitive attributes.

 

6) Username claim details.

 

7) Group claim details.

Note.
For group claims, if the claim name is not customized as shown in the screenshot above, Azure will prepend the Namespace to the claim name, and that may cause a mismatch in the attribute configured in FortiGate.

8) Download the certificate as Base64 format to be imported later on to FortiGate.

 

 

9) Make a note of the IdP URLs that will be used in the FortiGate configuration.

 

 

Configuration in FortiGate.

 

1) Import IdP certificate as download in previous step 8). Import it under 'Remote Certificate' option.

 

 

Note.

The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N). 

Optionally, rename the certificate in the CLI to give it a more recognizable name:

# config vpn certificate remote
     rename REMOTE_Cert_3 to AZURE-SAML-Firewall-Policy-IPv6
  end

 

2) Create a new Single Sign-On server matching Azure's IdP settings configured previously.

 

 

Note.

Starting with FortiOS 7.0.2 it is possible to create a SAML server from GUI; however, the SP URLs will populate automatically and will be needed to be modified after saving it.

Optionally, the new Single Sign-On server can be created from CLI as per below:

 

# config user saml

    edit "azure-saml-firewall-policy-ipv6"

        set cert "Fortinet_Factory"

        set entity-id "https://ipv6-saml-portal.colombas.lab:1003/saml/metadata"

        set single-sign-on-url "https://ipv6-saml-portal.colombas.lab:1003/saml/login"

        set single-logout-url "https://ipv6-saml-portal.colombas.lab:1003/saml/logout"

        set idp-entity-id "https://sts.windows.net/0a3ae56c-55e6-4e3a-9aa8-726a919b175d/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/0a3ae56c-55e6-4e3a-9aa8-726a919b175d/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/0a3ae56c-55e6-4e3a-9aa8-726a919b175d/saml2"

        set idp-cert "AZURE-SAML-Firewall-Policy-IPv6"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

 

3) Create user groups to assign to different firewall policies:

 

 

From CLI:

 

# config user group

    edit "SAML-AZURE-Development-Firewall-ip6"

        set member "azure-saml-firewall-policy-ipv6"

        config match

            edit 1

                set server-name "azure-saml-firewall-policy-ipv6"

                set group-name "8cd85213-773b-46dc-afd3-5cc8edcfc18"

            next

        end

    next

end

 

# config user group

    edit "SAML-AZURE-Sales-Firewall-ip6"

        set member "azure-saml-firewall-policy-ipv6"

        config match

            edit 1

                set server-name "azure-saml-firewall-policy-ipv6"

                set group-name "433c2809-4ae2-4589-80e1-7cfc3fac2a57"

            next

        end

    next

end

 

4) Create outbound firewall policies with UTM profile and other settings as desired:

 

 

# config firewall policy

    edit 84

        set name "SAML-AZURE-Development-Internet-IP6"

        set uuid 56793c14-339f-51ed-15f0-63b60e44bf2a

        set srcintf "port6"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr6 "all"

        set dstaddr6 "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "Development-AV"

        set webfilter-profile "Development-Proxy"

        set logtraffic all

        set nat enable

        set groups "SAML-AZURE-Development-Firewall-ip6"

    next

end

 

# config firewall policy

    edit 94

        set name "SAML-AZURE-Sales-Internet-IP6"

        set uuid d2727ec8-44f4-51ed-54a6-7ba864950604

        set srcintf "port6"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr6 "all"

        set dstaddr6 "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "Sales-AV"

        set webfilter-profile "Sales-Proxy"

        set logtraffic all

        set nat enable

        set groups "SAML-AZURE-Sales-Firewall-ip6"

    next

end

 

5) Due to the fact that IPv6 address syntax is not supported in SAML configuration for both Azure and FortiGate, the setting below is required so the captive portal is correctly triggered.

This FQN must resolve to the IPv6 address of the FortiGate interface set as the source interface in the firewall policy matching client traffic.

Considering that option 'set auth-redirect-addr' is currently not supported for IPv6 traffic, the global setting 'set portal-addr6' under firewall auth-portal must be used as per example below:

# config firewall auth-portal

    set portal-addr6 "ipv6-saml-portal.colombas.lab"

  end

 

6) Create an outbound firewall policy to exempt the Microsoft Azure IdP Login page from authentication, otherwise, IdP login URL will be unreachable.

 

 

# config firewall policy

    edit 61

        set name "SAML-AZURE-Portal"

        set uuid 60baf1ec-c642-51ec-1030-0fa9ac35d53b

        set srcintf "port6"

        set dstintf "virtual-wan-link"

        set action accept

        set srcaddr "LAN3"

        set dstaddr "login.microsoftonline.com" "sts.windows.net" "aadcdn.msauth.net"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy

        set ssl-ssh-profile "certificate-inspection"

        set av-profile "Staff"

        set webfilter-profile "Escalations-Proxy"

        set logtraffic all

        set nat enable

    next

end

 

Configuring the user authentication setting.

When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal.
After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal.
If the firewall portal’s certificate is not trusted by the user, it will receive a certificate warning.
Use a custom certificate that the user trusts to avoid the certificate warning.

To configure a custom certificate:

1) Go to User & Authentication - > Authentication Settings.
2) For the Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN of the SP sign-on URL.

Note.

Alternatively, assigning a CA certificate allows FortiGate to automatically generate and sign a certificate for the portal page.

This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:

# config user setting

    set auth-ca-cert "Fortinet_CA_SSL"

    set auth-secure-http enable

    set auth-timeout 2

    set auth-ssl-min-proto-version TLSv1-2

  end

Go to System - > Certificates and download the certificate.
Install the certificate into the client’s certificate store.

Note.

Redirection is used in this scenario for IPv6 per firewall policy with setting 'auth-redirect-addr' as per KB article below.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-For...

Verification of Configuration and authentication Workflow.

1) The user initiates IPv6 web traffic to the Internet.
2) The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP.
3) The user connects to the Microsoft Azure login page for the SAML authentication request.
4) The SAML IdP sends the SAML assertion containing the user and group.
5) The browser forwards the SAML assertion to the SAML SP.
6) If the user and group are allowed by FortiGate, the user is allowed to access the internet.

On the client, open a browser and go to an IPv6 Website. The user is redirected to the Microsoft Azure login page. 

 

Enter the user credentials.

 

 

If the login attempt is successful, the user is allowed to access the internet according to group membership and firewall policies defined.

To verify user login logs, go to Dashboard - > Users & Devices and select the Firewall Users widget.

 

 

Alternatively, list users from CLI as per the command below:

FGT1-A # diagnose firewall auth ipv6 list

2600:5000:9830:200::30, development@robertao.me
type: fw, id: 0, duration: 156, idled: 31
expire: 88, allow-idle: 120
server: azure-saml-firewall-policy-ipv6
packets: in 285 out 322, bytes: in 101116 out 43276
group_id: 51
group_name: SAML-AZURE-Development-Firewall-ip6

 

 

To verify user login logs, go to Log & Report - > System Events and select the User Events card.

 

 

Alternatively, list from CLI commands below:

 

FGT1-A # execute log filter category event

FGT1-A # execute log filter field subtype user

FGT1-A # execute log display

 

date=2022-10-05 time=16:59:23 eventtime=1665014363864850714 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=2600:5000:9830:200::30 dstip=2600:5000:9830:200::15 policyid=84 interface="port6" user="development@robertao.me" group="SAML-AZURE-Development-Firewall-ip6" authproto="HTTPS(2600:5000:9830:200::30)" action="authentication" status="success" reason="N/A" msg="User development@robertao.me succeeded in authentication"