Troubleshooting Tip: FortiGate admin access configuration with Google SAML authentication

'FortiGate' will be acting as 'Service Provider' (SP) and 'GOOGLE' will be acting as 'Identity Provider' (IdP). 

SP: Who is providing the Service.

IdP: Who is doing Authentication.

FortiGate admin access SSO is part of the security fabric, where the FortiGate can act as SP or IdP for SAML authentication.

In this scenario:

Get FortiGate admin access (SP) and use Google for authentication (IdP).  

FortiGate admin access will be configured as SP because FortiGate resources are being accessed. 

This configuration can be done from GUI or CLI.

Keep in mind that there are two spots for SAML configuration.

config system saml <----- Is used as part of the security fabric for admin access.

config user saml <---– Is mainly used for SSL-VPN access.

Template:

config system saml

    set status enable

    set role service-provider
    set default-login-page normal

    set default-profile "admin_no_access"

    set idp-entity-id "https://accounts.google.com/o/saml2?idpid=TENANT_ID"

    set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=TENANT_ID"

    set idp-single-logout-url "https://accounts.google.com/logout"

    set idp-cert "IDP cert from Google"

    set server-address "Your_FGT_AdminAccess_IP_or_FQDN:port"

end

Let’s go through  config system saml CLI settings:

1. Enable it.

 set status enable

2. For the role use service-provider, as FortiGate provides access to the resources.

set role service-provider

3. For the default profile, only use 'admin_no_access'

profile, as in other cases, it will be a bad idea to give all the Google SAML users 'super_admin' account profile permissions.

set default-profile "admin_no_access"

4. For the default login page, use normal, as it will allow choosing between regular login and SSO login.

set default-login-page normal

For example on the default login page, to use SAML authentication, it is only necessary to select the top 'Sign in with Security Fabrics' or below for regular authentication enter the 'Username' and 'Password'.

5. IdP links for entity-id, SSO URL, Single logout URL and IdP cert are required.

set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID "

set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID "

set idp-single-logout-url "https://accounts.google.com/logout "

set idp-cert "<IDP cert from Google>"

6. Server addresses, this field is for the FortiGate IP/FQDN and the port number.

If it is different from 443, then it will be necessary to specify that port number.

For example:

If the default 443 port is used, then the server address will be:

dragon-armor.grakov.lab     

If a custom port like 4443 is used, then the server address will be:

dragon-armor.grakov.lab:4443

Here are examples of configured templates.

Template for default port 443:

config system saml

    set status enable

    set default-profile "admin_no_access"

    set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID"

    set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID"

    set idp-single-logout-url "https://accounts.google.com/logout"

    set idp-cert "GOOGLE-IDP"

    set server-address "dragon-armor.grakov.lab"

end

Template for the custom admin port 4443:

config system saml

    set status enable

    set default-profile "admin_no_access"

    set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID"

    set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID"

    set idp-single-logout-url "https://accounts.google.com/logout"

    set idp-cert "GOOGLE-IDP"

    set server-address "dragon-armor.grakov.lab:4443"

end

If SSL VPN has been configured, the SSO URL, Single logout URL, Entity ID, and certificate of the Google IdP remain the same and will be used for the admin access configuration.

On the Google IdP side, it will be necessary to add another entry for the FortiGate Admin Access and test it out.

If SSL-VPN has not been configured, it is possible to view IdP details on admin.google.com and add proper values into the template for IdP fields.

Go to Security -> Authentication -> SSO with SAML applications, and it will be necessary to copy/paste into the template SSO URL, Entity ID and download the Certificate.

1. Import certificate from the Google IdP into the FortiGate. Go to System -> Certificates -> Import -> Remote Certificate.

In the 'Upload' - section, choose the certificate downloaded from the Google IDP and select 'OK'.

To rename the certificate, open the CLI console:

config certificate remote
    rename REMOTE_Cert_2 to GOOGLE-IDP
end

2. Configure from CLI.

Copy and paste the preconfigured template into the FortiGate Firewall via CLI (SSH).

Because some links contain a special character, the question mark (GOOGLE IDP links containing '?') and it is not possible to just copy/paste the SAML configuration, as it will break the link as the special character will be missing (FortiGate CLI interprets the '?' as a request for auto-complete):

• Via SSH (GUI CLI Console – do not do the trick and use SSH).
  If the link has a value '?' in the string, then to enter the value '?”'in the CLI, it will be necessary to press 'Ctrl + V' before entering '?'.

Here is an example:

set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID"

Copy/paste:

set idp-entity-id "https://accounts.google.com/o/saml2  <CTRL+V and use “?“> then copy/paste idpid=MY_TENANT_ID"

• Correct missing characters from GUI (It is possible to configure SAML in the GUI starting from FortiOS 7.0+) or just configure it from the GUI.
  Go to Security Fabric -> Edit Core Network Security -> Single Sign-On Settings and make the proper changes in the strings that are missing characters.

Configure from GUI.

Go to -> Security Fabric -> Fabric Connectors -> Core Network Security and select edit on Security Fabric Setup.

In the Security Fabric Setting, to use SAML for FortiGate admin access, select 'Single Sign-On Settings'.

This depends on the requirement and on how to access 'FortiGate Admin Access' - via IP address or FQDN.

By default, SAML SSO is 'Disabled'.

Select 'Service Provider (SP)'.

In the SP address field, correct the IP address or FQDN to use.

By default, it would use the current browser address connected to the FortiGate admin.

For example, if it is accessed via IP address, this IP will be visible, and if it is accessed via FQDN, the FQDN address will be visible.

By default, 'Default admin profile is set to admin_no_access'.

Do not change it to a different one to do not allow any user from the IdP side to be administrator like super admin, etc.

Example with a custom port 50000:

Configure the IdP side (Google).

Once logged into the admin portal (admin.google.com), go to the Application, select the Web and mobile app, select 'Add app' and choose 'custom SAML app'.

In Application details: Give 'App name' and if required 'Description'.

In this example: App name 'DRAGON-ARMOR FortiGate Admin Access' and select 'CONTINUE'.

In the Google Identity provider details, select 'CONTINUE' as all the necessary links and certificates are already obtained.

In the service provider details: copy and paste from the FortiGate ACS URL and Entity ID.

ACS URL will be the same as single-sign-on-url.

To view the SP values, there are two ways:

- From CLI:

# config global

# config system saml

# get

• From GUI:
  Go to Security Fabric -> Fabric Connectors -> Core Network Security, select edit on Security Fabric Setup.

Select 'Single Sign-On Settings'.

Select 'SP Details' to view values.

In attribute mapping details, add the proper mapping.

Here is an example to use Primary Email as a username:

Select 'FINISH'.

Once the configuration is done, the default action for the user access is off for everyone.

Select user access and change the service status to ON for everyone and select 'SAVE'.

When the Admin user will try to log in the first time into the FortiGate unit, the message: 'An SSO administrator account has been created. 'This account is using a restricted access profile with limited permissions. Additional permission must be granted by the device administrator' will appear.

Then it is necessary to log in with the local admin and do the changes for the SAML admin.

SAML admin will appear under the 'Single Sign-On Administrator' with the default profile 'admin_no_access'.

After, it is necessary to assign the administrator the profile with proper permissions, for example, 'super_admin'.

Then try again with SSO SAML Admin.

Troubleshooting Admin login SAML errors will be similar to regular SSL-VPN:

Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication