|Description||This article describes how to leverage SAML authentication for explicit web proxy connections on FortiGate using Microsoft Azure as IdP.|
|Scope||FortiGate v7.0.x, v7.2.x, and Microsoft Azure as SAML IdP.|
In this example, SAML authentication is used on an explicit web proxy policy to authenticate end users via a captive portal. For this purpose, configure FortiGate as SAML Service Provider and Microsoft Azure as SAML Identity Provider.
The IP address of the computer is 10.7.7.8 and the interface port1 IP on FortiGate is 10.7.7.1
The authentication and authorization flow is as follows:
1) Client opens a browser and visits https://www.google.com.
2) This browser session will be redirected by the web proxy to the captive portal.
3) Authentication request is redirected to Microsoft Azure IdP's sign-in page.
4) After the user enters credentials, IdP authenticates the user and sends a SAML assertion message to the end user. This message contains the username and the group information that the user belongs to on Azure.
5) SAML Assertion is then submitted to the Service Provider by the end user.
6) The proxy policy on FortiGate configured with the SAML user group will authenticate the user to further allow the client access to the web.
To configure SAML authentication for explicit web proxy connection:
1) Enable explicit web proxy:
config web-proxy explicit
2) Enable explicit proxy and proxy captive portal on the interface facing LAN:
config system interface
3) Configure SAML:
config user saml
Ensure that the IdP provides username and group information in SAML assertion.
If group information is not received, FortiGate will fail to match the user with the SAML group configured in Proxy policy. Error 'The Page you requested has been blocked by a firewall policy restriction' will be shown on the end user browser post successful authentication with missing group info.
4) Configure the user group on FortiGate:
config user group
5) Configure the authentication scheme, rule, and setting:
config authentication scheme
config authentication rule:
config authentication setting
6) Configure the proxy policy:
config firewall proxy-policy
When a user’s browser is configured with FortiGate interface IP as a proxy service and connects to a website ex: https://www.google.com, an IdP sign-in page appears for the user to enter the credentials.
User Authentication can be verified using the command given below.
diagnose wad user list
ID: 11, VDOM: root, IPv4: 10.7.7.8