Description
This article describes configuration steps to leverage SAML authentication for forward firewall policies.
The configuration example provided encompasses G-Suite SAML application configuration with multiple groups.
Scope
FortiGate 7.0+ and Google Cloud Platform as SAML IdP.
Solution
SAML authentication is immensely deployed in FortiGate's SSL VPN and Administration.
Starting with FortiOS 7.0, it is possible to authenticate users for forward traffic in firewall policies and proxy traffic in explicit and transparent proxy features.
This document will focus on outbound firewall policies with Google Cloud Platform (GCP) as SAML IdP. Additionally, multiple-group scenario will be described to allow for more granular control for UTM Security Profiles applied to users based on their group membership.
Example Environment:
Clients: 172.16.3.30 and 172.16.3.31
FortiGate LAN Interface IP: 172.16.3.15
User lombini@colombas.me is member of GCP group STAFF
User student@colombas.me is member of GCP group STUDENT
SAML SP: FortiGate
SAML IdP: Google Cloud Platform
Configuration Steps for Google Suite SAML Application.
Note.
This configuration assumes users and groups are already created in GCP. Some steps are performed concurrently on the FortiGate
1) Add a custom SAML app and define a name. Optionally add a description:
2) Note IdP entity ID and Single Sign-On URL's, and download IdP certificate.
3) Add SP entity ID and Single Sign-On URL's.
ACS URL will contain the IP Address and port of FortiGate Captive portal.
By default the captive portal IP address will be the FortiGate Interface IP where clients sent web request to.
Additionally, the default Captive portal for HTTPS connection is 1003.
# config system global
set auth-https-port 1003
end
4) Configure SAML user and group Attributes.
Note.
It is now possible to send group membership directly from GCP rather than using other attributes, such as 'Department' or 'Cost Center'.
5) It should look like the screenshot below. Make sure 'User access' is enabled.
Configuration steps in FortiGate.
1) Import IdP certificate as download in previous step 2) Import it under 'Remote Certificate' option.
Note.
This certificate is per GCP tenant, which means it may already have been uploaded if SAML GCP is configured for another feature, such as SSL-VPN or Proxy Policies.
If that is the case, an error message will be presented as per below.
Note.
The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).
Optionally, rename the certificate in the CLI to give it a more recognizable name:
# config vpn certificate remote
rename REMOTE_Cert_3 to GoogleSAML
end
2) Create a new Single Sign-On server matching the IdP settings configured previously in GCP.
Note.
Starting with FortiOS 7.0.2 it is possible to create SAML server from GUI; however, the SP URL's will populate automatically and will be needed to be modified after saving it.
Optionally, the new Single Sign-On server can be created from CLI as per below:
# config user saml
edit "google-outbound-policy"
set cert "Fortinet_Factory"
set entity-id "https://172.16.3.15:1003/saml/metadata"
set single-sign-on-url "https://172.16.3.15:1003/saml/login"
set single-logout-url "https://172.16.3.15:1003/saml/logout"
set idp-entity-id "https://accounts.google.com/o/saml2?idpid=C02216ujl"
set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=C02216ujl"
set idp-single-logout-url "https://accounts.google.com/logout"
set idp-cert "GoogleSAML"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
Note.
As any other command to be pasted in FortiGate CLI that contains a question mark '?', there is the need of pressing 'CTRL + V' right before pasting the special character '?'.
This will not work from CLI java console and will need a terminal software such as Putty with SSH or Console connection.
3) Create user groups to assign to different firewall policies:
From CLI:
# config user group
edit "Staff"
set member "google-outbound-policy"
config match
edit 1
set server-name "google-outbound-policy"
set group-name "STAFF"
next
end
next
end
# config user group
edit "Student"
set member "google-outbound-policy"
config match
edit 1
set server-name "google-outbound-policy"
set group-name "STUDENT"
next
end
next
end
4) Create outbound firewall policies with UTM profile and other settings as desired:
# config firewall policy
edit 40
set name "Staff-Internet"
set uuid 2aa5f31e-8131-51ec-a460-093b51af60ae
set srcintf "port6"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "LAN3"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set av-profile "Staff"
set webfilter-profile "Staff-WF"
set logtraffic all
set nat enable
set groups "Staff"
next
end
# config firewall policy
edit 85
set name "Student-Internet"
set uuid 0e292b3e-19c5-51ed-a93c-9ad37fc5e627
set srcintf "port6"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "LAN3"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set av-profile "Student"
set webfilter-profile "Student-WF"
set logtraffic all
set nat enable
set groups "Student"
next
end
5) To allow traffic to the IdP URL, place a firewall policy above the firewall policies configured with a group in the source.
An ISDB object 'Google-Web' can be used because a wildcard FQDN object to 'accounts.google.com' is not sufficient.
# config firewall policy
edit 32
set name "SAML-GCP-Authentication"
set uuid 6dcf3d4a-74a6-51ec-dfa3-1f25d4696d06
set srcintf "port6" "port7"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "LAN3"
set internet-service enable
set internet-service-name "Google-Web"
set schedule "always"
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set auto-asic-offload disable
set nat enable
next
end
Configuring the user authentication setting.
When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal.
After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal.
If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning.
Use a custom certificate that the user trusts to avoid the certificate warning.
To configure a custom certificate:
1) Go to User & Authentication -> Authentication Settings.
2) For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.
Note.
Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page.
This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.
To assign a CA certificate:
# config user setting
set auth-ca-cert "Fortinet_CA_SSL"
set auth-secure-http enable
set auth-timeout 2
set auth-ssl-min-proto-version TLSv1-2
end
Go to System -> Certificates and download the certificate.
Install the certificate into the client’s certificate store.
Note.
If the Captive portal is already being used for other features, redirection can be enabled per firewall policy by setting 'auth-redirect-addr" as per the KB article below:
User Authentication Timeout settings.
SAML authenticated users have the same timeout settings applied as other methods, explained in below KB Article:
Technical Tip: Explanation of auth-timeout types for Firewall authentication users
However, the browser may cache the cookie and the user may not be prompted again for credentials.
If it is desired to be prompted, authentication keep alive can be leveraged, so when the user selects the 'Logout' button, it should remove the browser cookie:
Technical Tip: Authentication keepalive page
If the keep live browser tab is closed, then the timeout will become a hard timeout type:
Verification of Configuration and authentication Workflow.
1) The user initiates web traffic to the Internet.
2) The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP.
3) The user connects to the Google Account log in page for the SAML authentication request.
4) The SAML IdP sends the SAML assertion containing the user and group.
5) The browser forwards the SAML assertion to the SAML SP.
6) If the user and group are allowed by the FortiGate, the user is allowed to access the internet.
On the client, open a browser and go to a Website. The user is redirected to the Google Account log in page.
Enter the user credentials.
If the log in attempt is successful, the user is allowed to access the internet according to group membership and firewall policies defined.
To verify user login logs, go to Dashboard -> Users & Devices and select the Firewall Users widget.
Alternatively, list users from CLI as per commands below:
FGT1-A # diagnose firewall auth filter method fw
FGT1-A # diagnose firewall auth list
172.16.3.30, student@colombas.me
type: fw, id: 0, duration: 80, idled: 7
expire: 113, allow-idle: 120
server: google-outbound-policy
packets: in 4394 out 4024, bytes: in 3877855 out 1346112
group_id: 42
group_name: Student
172.16.3.31, lombini@colombas.me
type: fw, id: 0, duration: 700, idled: 0
expire: 120, allow-idle: 120
server: google-outbound-policy
packets: in 10937 out 10349, bytes: in 9378349 out 1774042
group_id: 41
group_name: Staff
To verify user login logs, go to Log & Report -> System Events and select the User Events card.
Alternatively, list from CLI commands below:
# execute log filter category event
FGT1-A # execute log filter field subtype user
FGT1-A # execute log display
date=2022-08-12 time=00:23:35 eventtime=1660289015633370297 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=172.16.3.30 dstip=172.16.3.15 policyid=85 interface="port6" user="student@colombas.me" group="Student" authproto="HTTPS(172.16.3.30)" action="authentication" status="success" reason="N/A" msg="User student@colombas.me succeeded in authentication"
date=2022-08-12 time=00:15:55 eventtime=1660288555337117215 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=172.16.3.30 dstip=172.16.3.15 policyid=40 interface="port6" user="lombini@colombas.me" group="Staff" authproto="HTTPS(172.16.3.30)" action="authentication" status="success" reason="N/A" msg="User lombini@colombas.me succeeded in authentication"
