Technical Tip: SAML user authentication for explicit web proxy connections using Microsoft Azure as IdP

In this example, SAML authentication is used on an explicit web proxy policy to authenticate end users via a captive portal.  For this purpose, configure FortiGate as SAML Service Provider and Microsoft Azure as SAML Identity Provider.

The IP address of the computer is 10.7.7.8 and the interface port1 IP on FortiGate is 10.7.7.1

The authentication and authorization flow is as follows:

1) Client opens a browser and visits https://www.google.com.

2) This browser session will be redirected by the web proxy to the captive portal.

3) Authentication request is redirected to Microsoft Azure IdP's sign-in page.

4) After the user enters credentials, IdP authenticates the user and sends a SAML assertion message to the end user. This message contains the username and the group information that the user belongs to on Azure.

5) SAML Assertion is then submitted to the Service Provider by the end user.

6) The proxy policy on FortiGate configured with the SAML user group will authenticate the user to further allow the client access to the web.

To configure SAML authentication for explicit web proxy connection:

1) Enable explicit web proxy:

config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set https-incoming-port 8080
end

2) Enable explicit proxy and proxy captive portal on the interface facing LAN:

config system interface
    edit "port1"
        set vdom "root"
        ip 10.7.7.1 255.255.255.0
        set allowaccess ping https ssh snmp fgfm
        set type physical
        set explicit-web-proxy enable
        set explicit-ftp-proxy enable
        set proxy-captive-portal enable
        set stp enable
        set device-identification enable
        set role lan
        set snmp-index 8
    next
end

3) Configure SAML:

config user saml
    edit "saml_user"
        set cert "Fortinet_Factory"
        set entity-id https://10.7.7.1:7831/XX/YY/ZZ/saml/metadata/
        set single-sign-on-url https://10.7.7.1:7831/XX/YY/ZZ/saml/login/
        set single-logout-url https://10.7.7.1:7831/XX/YY/ZZ/saml/logout/
        set idp-entity-id https://sts.windows.net/eb87603c-9491-42c1-a3ff-4266669d6f37/
        set idp-single-sign-on-url https://login.microsoftonline.com/eb87603c-9491-42c1-a3ff-4266269e6f37/saml2
        set idp-single-logout-url https://login.microsoftonline.com/eb87603c-9491-42c1-a3ff-4266269e6f37/saml2
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next
end

Note:

Ensure that the IdP provides username and group information in SAML assertion.

If group information is not received, FortiGate will fail to match the user with the SAML group configured in Proxy policy. Error 'The Page you requested has been blocked by a firewall policy restriction' will be shown on the end user browser post successful authentication with missing group info.

Configure a user group claim in the Azure portal under Enterprise Application -> Select SAML App -> SAML-based Sign-on -> Attributes & Claims -> Edit -> Add a group claim -> Security groups -> Customize the name of the group claim -> Name 'group'.

For more information, refer to:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-group-based-policies-for-Microso...

4) Configure the user group on FortiGate:

config user group
    edit "SAMLGROUP"
        set member "saml_user"
            config match
                edit 1
                set server-name "saml_user"
                set group-name "df7a737c-739b-415e-819d-d86e9e6e41cf"
            next
        end
    next
end

5) Configure the authentication scheme, rule, and setting:

config authentication scheme
    edit "saml"
        set method saml
        set saml-server "saml_user"
    next
end

config authentication rule:

edit "saml"
    set srcintf "port1"
    set srcaddr "all"
    set active-auth-method "saml"
next
end

config authentication setting
    set captive-portal-type ip
    set captive-portal-ip 10.7.7.1
end

6) Configure the proxy policy:

config firewall proxy-policy
    edit 1
        set uuid 1325f09a-e490-51ed-e3cc-19b7383b105f
        set name "explicit-proxy-policy"
        set proxy explicit-web
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "login.microsoftonline.com" "aadcdn.msauth.net" "aadcdn.msftauth.net" "sts.windows.net"
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
    next

   
edit 2
    set name "Group_Authentication_Policy"
    set proxy explicit-web
    set dstintf "port2"
    set srcaddr "all"
    set dstaddr "all"
    set service "webproxy"
    set action accept
    set schedule "always"
    set logtraffic all
    set groups "SAMLGROUP"
next
end

Result:

When a user’s browser is configured with FortiGate interface IP as a proxy service and connects to a website ex: https://www.google.com, an IdP sign-in page appears for the user to enter the credentials.

Post successful authentication, the user will be allowed to access internet websites based on the settings of the proxy policy.

User Authentication can be verified using the command given below.

diagnose wad user list

ID: 11, VDOM: root, IPv4: 10.7.7.8
user name   : user1@askfortitac.onmicrosoft.com
worker      : 0
duration    : 92
auth_type   : IP
auth_method : SAML
pol_id      : 2
g_id        : 16
user_based  : 0
expire      : no
LAN:
bytes_in=91189 bytes_out=3823106
WAN:
bytes_in=3814607 bytes_out=77480

From GUI: