|
Topology:
VPNSSL-Client ===== Internet ===> | FortiGate-VPNSSL
1) Configure the 'saml' profile:
config user saml
edit "ONELOGINSSLVPN"
set cert "<SSL-VPN settings assigned Server Certificate>"
set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata/"
set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
set idp-entity-id "https://app.onelogin.com/saml/metadata/f498e216-b182-488e-9cd0-77bc35fb9225"
set idp-single-sign-on-url "https://digicel.onelogin.com/trust/saml2/http-post/sso/f498e216-b182-488e-9cd0-77bc35fb9225"
set idp-single-logout-url "https://digicel.onelogin.com/trust/saml2/http-redirect/slo/2187538"
set idp-cert "REMOTE_Cert_1" <----- Download the Cert from IdP platform and import it on FortiGate.
set user-name "username"
set group-name "groupname"
set digest-method sha1
set limit-relaystate disable
set clock-tolerance 15
set adfs-claim disable
next
end
Previous settings can be reviewed from the OneLogin platform.
2) Configure the user on FortiGate.
Example:
config user group
edit "ONELOGINGROUP"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digiest-realm ‘’
set member “ONELOGINGSSLVPN”
next
end
3) Set the authentication-rule on VPNSSL settings, with the group previously configured.
config vpn ssl setting
config authentication-rule
edit 1
set groups "ONELOGINGROUP"
set portal “web-access”
next
end
end
4) Finally, test the VPNSSL connection. This example used WebMode, but the same solution applies with TunnelMode.
Additional Suggestion:
If for some reason the redirection to SAML-Authentication portal fails, use the debugs below
In case that SAML-Authentication portal redirection succeeds but the authentication fails at the end,
check the logging report as below images, those can be helpful to know the root cause of failure authentication.
|
