| Description |
This article describes how SAML user authentication is done with FortiGate acting as a transparent web proxy using Microsoft Azure as an IdP. |
| Scope | FortiOS v7.0+, SAML, Microsoft Azure IDP. |
| Solution |
For the SAML background, visit the following link: SAML authentication in a proxy policy.
In this Article, SAML authentication is used with a transparent web proxy. The IdP is Microsoft Azure.
The port2 IP address is 11.0.0.1 & Windows Machine IP address is 11.0.0.10. The authentication and authorization flow is as follows:
config system interface edit "port2" set vdom "root" set ip 11.0.0.1 255.255.255.0 set allowaccess ping https http set type physical set netflow-sampler both set proxy-captive-portal enable set device-identification enable set snmp-index 2 next end
FGVM (saml) # show config user saml edit "proxy_transparent" set cert "Fortinet_Factory" set entity-id "https://11.0.0.1:7831/XX/YY/ZZ/saml/metadata/" set single-sign-on-url "https://11.0.0.1:7831/XX/YY/ZZ/saml/login" set single-logout-url "https://11.0.0.1:7831/XX/YY/ZZ/saml/logout" set idp-entity-id "https://sts.windows.net/-726a919b175d/" set idp-single-sign-on-url "https://login.microsoftonline.com/-726a919b175d/saml2" set idp-single-logout-url "https://login.microsoftonline.com/-726a919b175d/saml2" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" set digest-method sha1 next end
FGVM (group) # show config user group edit "Development_group" set member "proxy_transparent" config match edit 1 set server-name "proxy_transparent" set group-name "8cd85213-773b-46dc-afd3-5cc8edcfc180" next end next end
config authentication scheme edit "Azure-SAML-TransparentProxy" set method saml set saml-server "proxy_transparent" next end
config authentication rule edit "Proxy_Auth_Rule" set srcintf "port2" set srcaddr "all" set active-auth-method "Azure-SAML-TransparentProxy" next end
config authentication setting set update-time 2023-04-24 12:42:10 set captive-portal-type ip set captive-portal-ip 11.0.0.1 end
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set inspection-mode proxy next
FGVM (proxy-policy) # show config firewall proxy-policy edit 1 set uuid 6c4c44cc-e2b9-51ed-90c3-f5640941f5f4 set name "proxy-policy-transparent" set proxy transparent-web set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "aadcdn.msauth.net" "aadcdn.msftauth.net" "login.microsoftonline.com" "sts.windows.net" set service "webproxy" set action accept set schedule "always" set logtraffic all set ssl-ssh-profile "certificate-inspection" next edit 2 set uuid 352e07b6-e2d5-51ed-5c4f-382056d791c7 set name "Group_Policy" set proxy transparent-web set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set groups "Development_group" <- set ssl-ssh-profile "certificate-inspection" next end
END result: When a user goes to www.google.com in a browser that is configured to use FortiGate as a proxy, the IdP sign-in page appears, and the user needs to provide the credentials.
FGVM # diagnose wad user list
ID: 1, VDOM: root, IPv4: 11.0.0.10 user name : development@robertao.me worker : 1 duration : 69 auth_type : IP auth_method : SAML pol_id : 2 g_id : 2 user_based : 0 expire : no LAN: bytes_in=96093 bytes_out=2162905 WAN: bytes_in=2192752 bytes_out=99175 |
