Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadzada
Staff
Staff

Created on ‎02-13-2022 01:30 AM Edited on ‎07-15-2025 11:18 AM By Moderator

Article Id 204708

Technical Tip: SSL VPN with realms and SAML authentication

Description This article describes the steps how to configure SSL VPN with realms followed by the SAML authentication.
Scope FortiGate
Solution

An example SSL VPN configuration with realms (example port 4443 was chosen):

 

config vpn ssl setting
    set ssl-min-proto-ver tls1-1
    set servercert "Fortinet_Factory"
    set idle-timeout 0
    set auth-timeout 300
    set login-timeout 180
    set dtls-hello-timeout 60
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "any"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1

            set groups "Users"
            set portal "full-access"
            set realm "realm_1"
        next

            end

 

config user saml
    edit "SAML name_GOOGLE IDP example"

  set entity-id "https://<FortiGate IP/FQDN:4443>/remote/saml/metadata/"

  set single-sign-on-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/login/"

  set single-logout-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/logout/"
  set idp-entity-id "https: //accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER"
  set idp-single-sign-on-url "https: //accounts.google.com/o/saml2/idp?  idpid=TENANT_ID_NUMBER" 

  set idp-cert <This certificate will be provided from the IDP side>

  set user-name "Username"

  set group-name "Groupname"

  end

 

When accessing SSL VPN Web mode or FortiClient tunnel mode, the link will be similar to the following: 

 

https://<FortiGate IP/FQDN:4443>/the_realm_name 

 

Example of configured link for Web-Mode or FortiClient tunnel mode:

 

https://dragon-armor.grakov.lab:4443/realm_1

Example entry on the FortiClient, the 'Remote Gateway' setting:

 

https://dragon-armor.grakov.lab:4443/realm_1 

 

On 'config user saml', it is not necessary to define the realm for the SP side, and configuration as shown below can be used for both scenarios with and without the realms.

 

config user saml
   edit "Your SAML name_GOOGLE IDP example"

set entity-id "https: //<FortiGate IP/FQDN:4443>/remote/saml/metadata/"

set single-sign-on-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/login"

set single-logout-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/logout"
set idp-entity-id "https: //accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER"
set idp-single-sign-on-url "https: //accounts.google.com/o/saml2/idp?idpid=TENANT_ID_NUMBER"

set idp-cert <This certificate will be provided from the IDP side>

set user-name "Username"

set group-name "Groupname"

  end
9268
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.