Description
This article describes how to configure SSL VPN with SAML Authentication with Duo as IdP and Microsoft Azure AD as the authentication source.
Scope
FortiGate 6.2.3+, FortiClient 6.4.0+, Cisco Duo, and Microsoft Azure AD.
Solution
This article will encompass configuration steps for FortiGate, FortiClient, Cisco DUO, and Microsoft Azure. Some of the configuration steps are performed concurrently on different devices and platforms.
Configuration Steps for Authentication Source and SAML Application in Duo.
Note.
If not yet configured, add an authentication source as per Duo documentation referenced below:
https://duo.com/docs/sso#saml
1) On the Single Sign-On section, select 'Add source':
2) Note the two URLs highlighted in the screenshot below ('Entity ID' and 'Audience Restriction') that will be used in the Microsoft Azure SAML Application.
3) From the Microsoft Azure SAML Application created, note the URL's 'Entity ID', 'Single Sign-On URL', and 'Single Logout URL' and fill out the fields as per the screenshot below, and select 'Save'. Import the certificate downloaded from the Microsoft Azure application.
4) On the 'Applications' section, select 'Protect an Application'.
5) Search for 'Generic SAML Service Provider' and press 'Enter'. Select 'Protect'.
6) Note the URL's 'Entity ID', 'Single Sign-On URL', and 'Single Log-Out URL' that will be used in the FortiGate SAML configuration. Download the certificate to be later imported to FortiGate.
7) Fill out the URLs below with information from FortiGate SSL VPN IP/FQDN and port.
8) Configure the Attributes/Claims to match attributes between Azure and Duo, and between Duo and FortiGate.
9) Configure group, application, and global policies as desired, define a name for thisApplication and select 'Save'.
Configuration Steps for Application in Microsoft Azure.
Note.
This configuration assumes users and groups are already created in Azure. Some steps are performed concurrently on the FortiGate.
1) Create a non-gallery application as per below and define a name for it.
2) Once the application has been deployed, select it and assign users and groups as desired.
Note.
Depending on the Azure AD plan, groups cannot be directly assigned to the SAM application, and users will have to be individually assigned.
However, group membership can still be used for SAML Assertions; therefore, the multiple-group scenario can be configured in FortiGate.
3) Make a note of the group Object ID that can be used for group matching in FortiGate.
4) Configure the SSO URLs for the SAML Application newly created base on Duo URLs.
5) Configure the Attributes/Claims for username and group attributes.
6) Delete existing claims and add a claim and a group claim.
Note.
Claim names are case-sensitive attributes.
A username claim is mandatory, but a group claim is optional. Those claims must match with attributes configured in the 'SAML Response' section in Duo.
The username claim 'username_from_azure_to_duo' must match the 'NameID attribute' in Duo.
The claims 'username_from_azure_to_duo' and 'group_from_azure_to_duo' must match the ones set in the 'IdP Attribute' column under the 'Map attributes' section.
7) Username claim details.
8) Group claim details.
Note.
For group claims, if the claim name is not customized as shown in the screenshot above, Azure will prepend the Namespace to the claim name, and that may cause a mismatch in the attribute configured in Duo.
9) Download the certificate in Base64 format to be imported later on to Duo Authentication Source.
10) Note the IdP URLs that will be used in the FortiGate configuration.
Configuration steps in FortiGate.
1) Import the IdP certificate as a download from Duo SAML Application. Import it under the 'Remote Certificate' option.
Note.
The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).
Optionally, rename the certificate in the CLI to give it a more recognizable name:
# config vpn certificate remote
rename REMOTE_Cert_3 to DUO-SAML
end
2) Create a new Single Sign-On server matching Duo's IdP settings configured previously in the 'Protect an Application' section.
Note.
Starting with FortiOS 7.0.2 it is possible to create a SAML server from GUI; however, the SP URLs will populate automatically and will be needed to be modified after saving it.
Optionally, the new Single Sign-On server can be created from CLI as per below:
# config user saml
edit "duo-saml-sslvpn"
set entity-id "https://192.168.101.61:7443/remote/saml/metadata"
set single-sign-on-url "https://192.168.101.61:7443/remote/saml/login"
set single-logout-url "https://192.168.101.61:7443/remote/saml/logout"
set idp-entity-id "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/metadata"
set idp-single-sign-on-url "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/sso"
set idp-single-logout-url "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/slo"
set idp-cert "DUO-SAML"
set user-name "username_from_duo_to_fortigate"
set group-name "group_from_duo_to_fortigate"
set digest-method sha2
next
end
3) Create user groups to assign to different firewall policies and portal mappings as desired.
4)Configure or adjust SSL VPN Settings as needed.
5) Configure or adjust firewall policies as needed.
6) Make sure the remote authentication timeout accounts for the MFA challenge are complete by the user.
Default timeout value is set to only 5 seconds and can be changed from CLI only with the commands below. This value can be set up to 300 seconds.
# config system global
set remoteauthtimeout 60
end
Note.
Time offset tolerance in Duo is very strict and hard coded to only 30 seconds. Make sure FortiGate has accurate system time, preferably synchronized with a reliable NTP server, such as FortiGuard.
Related Articles.
Technical Tip: FortiGate SAML authentication resource list
Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN
Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication
