|
An example SSL VPN configuration with realms (example port 4443 was chosen):
config vpn ssl setting
set ssl-min-proto-ver tls1-1
set servercert "Fortinet_Factory"
set idle-timeout 0
set auth-timeout 300
set login-timeout 180
set dtls-hello-timeout 60
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set port 4443
set source-interface "any"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "Users"
set portal "full-access"
set realm "realm_1"
next
end
config user saml
edit "SAML name_GOOGLE IDP example"
set entity-id "https://<FortiGate IP/FQDN:4443>/remote/saml/metadata/"
set single-sign-on-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/login/"
set single-logout-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/logout/"
set idp-entity-id "https: //accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER"
set idp-single-sign-on-url "https: //accounts.google.com/o/saml2/idp? idpid=TENANT_ID_NUMBER"
set idp-cert <This certificate will be provided from the IDP side>
set user-name "Username"
set group-name "Groupname"
end
When accessing SSL VPN Web mode or FortiClient tunnel mode, the link will be similar to the following:
https://<FortiGate IP/FQDN:4443>/the_realm_name
Example of configured link for Web-Mode or FortiClient tunnel mode:
https://dragon-armor.grakov.lab:4443/realm_1
Example entry on the FortiClient, the 'Remote Gateway' setting:
https://dragon-armor.grakov.lab:4443/realm_1
On 'config user saml', it is not necessary to define the realm for the SP side, and configuration as shown below can be used for both scenarios with and without the realms.
config user saml
edit "Your SAML name_GOOGLE IDP example"
set entity-id "https: //<FortiGate IP/FQDN:4443>/remote/saml/metadata/"
set single-sign-on-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/login"
set single-logout-url "https: //<FortiGate IP/FQDN:4443>/remote/saml/logout"
set idp-entity-id "https: //accounts.google.com/o/saml2?idpid=TENANT_ID_NUMBER"
set idp-single-sign-on-url "https: //accounts.google.com/o/saml2/idp?idpid=TENANT_ID_NUMBER"
set idp-cert <This certificate will be provided from the IDP side>
set user-name "Username"
set group-name "Groupname"
end
Related Articles:
Technical Tip: How to fix crashing SAML daemon
Technical Tip: How to read SAML Debug output
Technical Tip: A basic explanation of SAML authentication
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting a...
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP
Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP wh...
Technical Tip: Set up SAML admin LDAP login on FortiGate (SP) with FortiAuthenticator (IDP)
Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP
Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) f...
Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1
Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
|
