Technical Tip: SSL-VPN with realms and SAML authentication

aahmadzada · ‎02-13-2022

Description

This article describes the steps how to configure SSLVPN with realms followed by the SAML authentication.

Scope

FortiGate

Solution

An example of the SSLVPN configuration with realms is:

config vpn ssl setting
set ssl-min-proto-ver tls1-1
set servercert "Fortinet_Factory"
set idle-timeout 0
set auth-timeout 300
set login-timeout 180
set dtls-hello-timeout 60
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set port 4443
set source-interface "any"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1

set groups "Users"
set portal "full-access"
set realm "realm_1"
next

end

config user saml
edit “Your SAML name_GOOGLE IDP example”

set entity-id “https://<FortiGate IP/FQDN:port>/remote/saml/metadata/”

set single-sign-on-url “https://<FortiGate IP/FQDN:port>/remote/saml/login/”

set single-logout-url “https://<FortiGate IP/FQDN:port>/remote/saml/logout/”
set idp-entity-id “https://accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER”
set idp-single-sign-on-url “https://accounts.google.com/o/saml2/idp?idpid=TENANT_ID_NUMBER”

set idp-cert “This certificate will be provided from the IDP side”

set user-name “Username”

set group-name “Groupname”

end

When accessing SSL VPN Web mode or FortiClient tunnel mode, the link will be similar to:https://<FortiGate IP/FQDN:port>/your_realm_name

example of configured link for Web-Mode or FortiClient tunnel mode:

https://dragon-armor.grakov.lab:4443/realm_1

Connection entry on the FortiClient, the remote Gateway

example of the link:
https://dragon-armor.grakov.lab:4443/realm_1

On 'config user saml', it is not necessary to define the realm for the SP side, and configuration as shown below can be used for both scenarios with and without the realms.