Technical Tip: Setting up a captive portal for network authentication using SAML and Azure for LAN users

Assumptions: 

There are groups created on the AZURE active directory. If not, create Azure AD with users and groups.

In this example, an AD has been created with a limited number of groups. As a free Azure version is used, there are certain limitations.

LAN details on the FortiGate:

FortiGate LAN interface IP: 192.168.2.99/255.255.255.0

FortiGate user range: 192.168.2.2-192.168.2.50

User: supem@supem2021gmail.onmicrosoft.com

User Group Name: 'Suprem'.

Object ID of the group: e129306b-5180-4823-9093-9c99340670da

SAML Service provider: 'Fortigate'.

SAML IDP: 'Ms Azure'.

Configuration on Ms Azure:

1. Create Non-gallery application.

Go to Ms Azure --> Enterprise application -> New Application ->Create the application -> Select 'Integrate any other application not found in the gallery (Non-gallery)' -> Create.

     2. Assign users and groups to the application.

As a free version is used, the error 'Groups are not available for assignment due to the Active Directory plan level. It is possible to assign individual users to the application' will appear. If a paid version is used with the necessary levels, it will be able to assign groups. Accordingly, only individual users will be assigned as below.

     3. Object ID of the user group is found under the Azure active directory --> Groups.

     4. Configure the SAML application as below. Make sure the port is selected as 1003 and other highlighted fields.

     5. User Claims:

      6. Group claims:

     7. Download the Base 64 Certificate to be imported to the FortiGate remote certificate store:

     8. Copy the below URLs to be used in the FortiGate configuration:

Configuration on the FortiGate:

     9. Upload the based 64 certificate which was downloaded on step 7 to the remote certificate store:

The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N). 

If needed, it is possible to rename the certificate in the CLI to give it a more recognizable name:

config vpn certificate remote
    rename REMOTE_Cert_3 to AZURE-SAML-Wireless
end

     10. Create Sigle Sign on server settings that match the IDP setting configured on Azure previously.

In CLI, it will display as below:

config user saml

    edit "AZURE-LAN -SAML"

        set cert "Fortinet_Factory"

        set entity-id "http://192.168.2.99:1003/saml/metadata"

        set single-sign-on-url "https://192.168.2.99:1003/saml/login"

        set single-logout-url "https://192.168.2.99:1003/saml/logout"

        set idp-entity-id "https://sts.windows.net/96c66f49-8f18-4826-993d-db250a722990/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/96c66f49-8f18-4826-993d-db250a722990/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/96c66f49-8f18-4826-993d-db250a722990/saml2"

        set idp-cert "AZURE-LAN-SAML"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

     11. Create User groups on the FortiGate:

CLI config:

config user group
    edit "AZURE-SAML-LAN-supem"
        set member "AZURE-LAN -SAML"
            config match
                edit 1
                    set server-name "AZURE-LAN -SAML"
                    set group-name "123c83ca-882c-439d-aa48-84f5c3edc05c"
                next
            end
        next
    end

     12. Configuring the LAN interface:

CLI:

config system interface
    edit "internal1"
        set vdom "root"
        set ip 192.168.2.99 255.255.255.0
        set allowaccess ping https ssh http fgfm fabric
        set type physical
        set alias "LAN"
        set security-mode captive-portal
        set security-exempt-list "internal1-exempt-list"
        set security-groups "AZURE-SAML-LAN-supem"
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 9
    next
end

     13. Creating Firewall policies:

Firewall policy for Azure Access:

config firewall policy
    edit 14
        set name "Azure LAN Captive portal"
        set uuid 3149b244-e78f-51ed-51f1-b70b4790cca1
        set srcintf "internal1"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set internet-service-name "Microsoft-Azure" "Microsoft-DNS" "Microsoft-Dynamics" "Microsoft-FTP" "Microsoft-ICMP" "Microsoft-Inbound_Email" "Microsoft-Intune" "Microsoft-LDAP" "Microsoft-Microsoft.Update" "Microsoft-NetBIOS.Name.Service" "Microsoft-NetBIOS.Session.Service" "Microsoft-NTP" "Microsoft-Office365" "Microsoft-Office365.Published" "Microsoft-Office365.Published.Optimize" "Microsoft-Office365.Published.USGOV"
        set schedule "always"
        set logtraffic all
        set nat enable
        set comments " (Copy of Testforti captive)"
        set captive-portal-exempt enable
    next
end

Firewall policy for the group to access:

config firewall policy
    edit 15
        set name "Azure LAN-Supem"
        set uuid 71d9f45e-e78f-51ed-dccc-fcf7c7d6b785
        set srcintf "internal1"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "g-default"
        set dnsfilter-profile "default"
        set emailfilter-profile "default"
        set file-filter-profile "g-default"
        set ips-sensor "g-default"
        set application-list "g-default"
        set logtraffic all
        set nat enable
        set groups "AZURE-SAML-LAN-supem"
        set comments " (Copy of Test Forti)"
    next
end

     14. Once everything is configured correctly, connect to the machine, and provide the username and then the password. Use the full email as the user name which is under user details under relevant groups.

If MFA has been configured in Azure, provide the Token via MS. Authenticator.

     15. If the firewall portal’s certificate is not trusted by the user, the user will receive a certificate warning.
Use a custom certificate that the user trusts to avoid the certificate warning.

     16. Configure a custom certificate:

• Go to User & Authentication -> Authentication Settings.
• For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.

Note.

Alternatively, assigning a CA certificate allows FortiGate to automatically generate and sign a certificate for the portal page.

This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:

config user setting

    set auth-ca-cert "Fortinet_CA_SSL"

    set auth-secure-http enable

    set auth-timeout 2

    set auth-ssl-min-proto-version TLSv1-2

end

Go to System -> Certificates and download the certificate.
Install the certificate into the client’s certificate store.

     17. Verification of Authentication:

Forti (root) # di firewall auth filter method fw

Forti (root) # di firewall auth list

192.168.2.10, supem@supem2021gmail.onmicrosoft.com
src_mac: d8:9e:f3:1c:56:5f
type: fw, id: 0, duration: 2756, idled: 1
expire: 10798, allow-idle: 10800
server: AZURE-LAN -SAML
packets: in 57511 out 35855, bytes: in 51624556 out 7377411
group_id: 7
group_name: AZURE-SAML-LAN-supem

----- 1 listed, 0 filtered ------

From System Event logs: