Description

This article describes how to authenticate users with SAML before allowing traffic.

Solution

Azure AD as SAML IDP is used in this scenario. Any SAML IDP will work by changing the IDP URLs. 

Configuration for FortiGate[SP]:

Creating SAML SP config.

# config user saml
     edit "AAD-Captive"
          set entity-id "https://LAN-IP:1003/saml/metadata"
          set single-sign-on-url "https://LAN-IP:1003/saml/login/"
          set single-logout-url "https://LAN-IP:1003/saml/logout/"
          set idp-entity-id "Copy from Azure portal"
          set idp-single-sign-on-url "Copy from Azure portal"
          set idp-single-logout-url "Copy from Azure portal"
          set idp-cert "Download from Azure portal"
          set user-name "username"
          set group-name "groups"
          set digest-method sha256
     next
end

Creating SAML group to be used in the firewall policy.

# config user group
     edit "AAD-Captive-Grp"
          set member "AAD-Captive"
          config match
               edit 1
                    set server-name "AAD-Captive"
                    set group-name "group-name-sent-by-idp"
               next
          end
     next
end

Note.

Modify group name accordingly or remove the matching if all SAML authenticated users should be allowed to log in.

Calling the SAML group in the firewall policy. 

There Should be a rule on top to allow DNS/Azure traffic which is required for authentication.

Port1 is for LAN, and Port2&3 are for WAN.

Configuration for Azure[IDP]:

ID/Login/Logout of FortiGate[SP].

Attribute for Username and Group.

Certificate to be used on FortiGate. Use the Base64 format.

ID/Login/Logout URL of IDP.

Note:

Captive portal need not be enabled on the interface to trigger authentication.

Authentication would be triggered based on the groups called in the policy.