FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor
Article Id 230378
Description

 

This article describes how to configure SSL VPN with SAML Authentication with Duo as IdP and Microsoft Azure AD as the authentication source.

 

Scope

 

FortiGate v6.2.3+, FortiClient v6.4.0+, Cisco Duo, and Microsoft Azure AD.

 

Solution

 

This article will encompass configuration steps for FortiGate, FortiClient, Cisco DUO, and Microsoft Azure. Some of the configuration steps are performed concurrently on different devices and platforms.

 

 

Configuration Steps for Authentication Source and SAML Application in Duo.

Note.
If not yet configured, add an authentication source as per Duo documentation referenced below:
https://duo.com/docs/sso#saml

 

On the Single Sign-On section, select 'Add source':

 

CarlosColombini_1-1671253679631.png

 

The two URLs highlighted in the screenshot below ('Entity ID' and 'Audience Restriction') will be used in the Microsoft Azure SAML Application.

 

CarlosColombini_2-1671253705186.png

 

From the Microsoft Azure SAML Application created, note the URL's 'Entity ID', 'Single Sign-On URL', and 'Single Logout URL' and fill out the fields as per the screenshot below, and select 'Save'. Import the certificate downloaded from the Microsoft Azure application.

 

CarlosColombini_3-1671253906093.png

 

On the 'Applications' section, select 'Protect an Application'.

 

CarlosColombini_8-1671259759437.png

 

Search for 'Generic SAML Service Provider' and press 'Enter'. Select 'Protect'.

 

CarlosColombini_4-1671254182890.png

 

The URL's 'Entity ID', 'Single Sign-On URL', and 'Single Log-Out URL' that will be used in the FortiGate SAML configuration. Download the certificate to be later imported to FortiGate.

 

CarlosColombini_9-1671254864978.png

 

Fill out the URLs below with information from FortiGate SSL VPN IP/FQDN and port.

 

CarlosColombini_8-1671254756386.png

 

Configure the Attributes/Claims to match attributes between Azure and Duo, and between Duo and FortiGate.

 

CarlosColombini_10-1671255341747.png

 

Configure group, application, and global policies as desired, define a name for thisApplication and select 'Save'.

 

CarlosColombini_11-1671255431677.png

 

 

Configuration Steps for Application in Microsoft Azure.

Note.

This configuration assumes users and groups are already created in Azure. Some steps are performed concurrently on the FortiGate.


Create a non-gallery application as per below and define a name for it.

 

CarlosColombini_0-1671255673911.png

 

Once the application has been deployed, select it and assign users and groups as desired.

 

CarlosColombini_1-1671256023364.png

 

Note.
Depending on the Azure AD plan, groups cannot be directly assigned to the SAM application, and users will have to be individually assigned.


However, group membership can still be used for SAML Assertions; therefore, the multiple-group scenario can be configured in FortiGate.

 

CarlosColombini_2-1671256103383.png

 

Make a note of the group Object ID that can be used for group matching in FortiGate.

 

CarlosColombini_3-1671256195141.png

 

Configure the SSO URLs for the SAML Application newly created base on Duo URLs.

 

CarlosColombini_4-1671256495214.png

 

Configure the Attributes/Claims for username and group attributes.

 

CarlosColombini_5-1671256584928.png

 

Delete existing claims and add a claim and a group claim.

 

CarlosColombini_7-1671256757801.png

 

Note.

Claim names are case-sensitive attributes.

 

A username claim is mandatory, but a group claim is optional. Those claims must match with attributes configured in the 'SAML Response' section in Duo.


The username claim 'username_from_azure_to_duo' must match the 'NameID attribute' in Duo.
The claims 'username_from_azure_to_duo' and 'group_from_azure_to_duo' must match the ones set in the 'IdP Attribute' column under the 'Map attributes' section.

 

Username claim details.

 

CarlosColombini_8-1671257282506.png

 

Group claim details.

 

CarlosColombini_9-1671257553855.png

 

Note.
For group claims, if the claim name is not customized as shown in the screenshot above, Azure will prepend the Namespace to the claim name, and that may cause a mismatch in the attribute configured in Duo.

Download the certificate in Base64 format to be imported later on to Duo Authentication Source.

 

CarlosColombini_10-1671257723807.png

 

The IdP URLs that will be used in the FortiGate configuration.

 

CarlosColombini_11-1671258228588.png

 

Configuration steps in FortiGate.

Import the IdP certificate as a download from Duo SAML Application. Import it under the 'Remote Certificate' option.

 

CarlosColombini_0-1671258443127.png


Note.

The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N). 

Optionally, rename the certificate in the CLI to give it a more recognizable name:


config vpn certificate remote
     rename REMOTE_Cert_3 to DUO-SAML
  end

 

Create a new Single Sign-On server matching Duo's IdP settings configured previously in the  'Protect an Application' section.

 

CarlosColombini_1-1671258595208.png


Note.

Starting with v7.0.2 it is possible to create a SAML server from GUI; however, the SP URLs will populate automatically and will need to be modified after saving it.

Optionally, the new Single Sign-On server can be created from CLI as per below:

 

config user saml

    edit "duo-saml-sslvpn"

        set entity-id "https://192.168.101.61:7443/remote/saml/metadata"

        set single-sign-on-url "https://192.168.101.61:7443/remote/saml/login"

        set single-logout-url "https://192.168.101.61:7443/remote/saml/logout"

        set idp-entity-id "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/metadata"

        set idp-single-sign-on-url "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/sso"

        set idp-single-logout-url "https://sso-fb31718a.sso.duosecurity.com/saml2/sp/DIHD8MK9248X0S26DVR4/slo"

        set idp-cert "DUO-SAML"

        set user-name "username_from_duo_to_fortigate"

        set group-name "group_from_duo_to_fortigate"

        set digest-method sha2

    next

end

 

Create user groups to assign to different firewall policies and portal mappings as desired.

 

CarlosColombini_2-1671259137791.png

 

Configure or adjust SSL VPN Settings as needed.

 

CarlosColombini_7-1671259656142.png

 

Configure or adjust firewall policies as needed.

 

CarlosColombini_6-1671259562583.png


Make sure the remote authentication timeout accounts for the MFA challenge being completed by the user. The default timeout value is set to only 5 seconds and can be changed from the CLI only with the commands below. This value can be set up to 300 seconds.

 

config system global

    set remoteauthtimeout 60

end

 

To perform a debug, run these debugging commands in FortiGate's command line interface (CLI) or while connected to FortiGate via SSH:

 
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application sslvpnd -1
diagnose debug enable
 
To stop debugging:
 
diagnose debug disable
diagnose debug reset

Note:
Time offset tolerance in Duo is very strict and hard coded to only 30 seconds. Make sure FortiGate has accurate system time, preferably synchronized with a reliable NTP server, such as FortiGuard.


In v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3

 

Related articles:

Technical Tip: FortiGate SAML authentication resource list

Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN

Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication