FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
fyheng
Staff
Staff
Description This article describes how to import Azure Base64 SAML certificate into FortiGate SSL-VPN SSO setup.
Scope

 

Solution

1) The following is the SAML cert format provided by Azure if it is opened with a text editor. 

 

-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQFl+ka5NRiahBKzAjqgNddDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAyMDIwMzIw
MjdaFw0yNDAyMDIwMzIwMjdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJ5+oygNll33
S72G6DtJuc6jfDHT/tRXfHpNdY8MBvkI2LmVcgnft2A4gA4M8nGxXV/U/KhIGDryrwXOe+X2f2yN
KF+Kt+N23f1kkdrsGFelm980nnxq3SGkoMz1g42nYgtxWcnYbdln8uYDIIyGp67umbeEI9MlRumQ
00zrxDcj6Cu2NkYukAc+Er9YYGwoREKcjNfmmCgIbYfgHpDLmeT75fXIKVampqwGm1XwCx3+9wJE
3kJWl8kzOxA/HF+0AAJnX1KJhLTMg0byGHq3BG34WuFZ09Vp3LWi2GhKiUHpTc9Doqso1bBbWpI6
+1ijpFxaGiaYWWLnT5LxG1u/tQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKBja/U9+T/jGOkj3I
e9isBwIZoNWSTtpHUCn87Yow0aV46meh8YUrOiWhPQ39Yd1It7cI1ylWgGABCfAl8A5oLKkWrP96
4HAIoztGYJAVp9Or7nvv5/a/w4QmA9mz5pocgLmAOOB/tiHj0FgeF4n8aKwjl00hZHPppKM+fc10
PD+DVM1WX4Zgo3Fec0Ho7I+rOMv83lliOuVGxqZCtRJmik44z6xnSAjUg+S7nka+OzenuoD1ClY2
qfVQlC3EisqLlKxD2U57Cp/wwhw6XBzdQX1uxwFnCH5oHMdpg/iQCQLPNG9z2IrDejUQFL188+Dw
Y23v5h4aVzXBHUINpGL+
-----END CERTIFICATE-----

 

2) Most of the time, the SAML cert provided by Azure is technically not aligned to X509 standards and it is necessary to convert to the X509 standards first before it is possible to import that certificate.

 

3) FortiManager currently does not have the capability to convert the non X509 standards cert for now.

 

It is possible to use the following 3rd party conversion tool to convert before the import. 

 

https://www.samltool.com/format_x509cert.php 

 

4) The conversion result from the above-said link will be as follows and then save into a text file with extension .crt for the converted cert. 

 

Azure non X509 standards cert:

 

-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQFl+ka5NRiahBKzAjqgNddDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD
EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAyMDIwMzIw
MjdaFw0yNDAyMDIwMzIwMjdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg
U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJ5+oygNll33
S72G6DtJuc6jfDHT/tRXfHpNdY8MBvkI2LmVcgnft2A4gA4M8nGxXV/U/KhIGDryrwXOe+X2f2yN
KF+Kt+N23f1kkdrsGFelm980nnxq3SGkoMz1g42nYgtxWcnYbdln8uYDIIyGp67umbeEI9MlRumQ
00zrxDcj6Cu2NkYukAc+Er9YYGwoREKcjNfmmCgIbYfgHpDLmeT75fXIKVampqwGm1XwCx3+9wJE
3kJWl8kzOxA/HF+0AAJnX1KJhLTMg0byGHq3BG34WuFZ09Vp3LWi2GhKiUHpTc9Doqso1bBbWpI6
+1ijpFxaGiaYWWLnT5LxG1u/tQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKBja/U9+T/jGOkj3I
e9isBwIZoNWSTtpHUCn87Yow0aV46meh8YUrOiWhPQ39Yd1It7cI1ylWgGABCfAl8A5oLKkWrP96
4HAIoztGYJAVp9Or7nvv5/a/w4QmA9mz5pocgLmAOOB/tiHj0FgeF4n8aKwjl00hZHPppKM+fc10
PD+DVM1WX4Zgo3Fec0Ho7I+rOMv83lliOuVGxqZCtRJmik44z6xnSAjUg+S7nka+OzenuoD1ClY2
qfVQlC3EisqLlKxD2U57Cp/wwhw6XBzdQX1uxwFnCH5oHMdpg/iQCQLPNG9z2IrDejUQFL188+Dw
Y23v5h4aVzXBHUINpGL+
-----END CERTIFICATE-----

 

Converted X509 standards cert:

 

-----BEGIN CERTIFICATE-----
MIIC8DCCAdigAwIBAgIQFl+ka5NRiahBKzAjqgNddDANBgkqhkiG9w0BAQsFADA0
MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZp
Y2F0ZTAeFw0yMTAyMDIwMzIwMjdaFw0yNDAyMDIwMzIwMjdaMDQxMjAwBgNVBAMT
KU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJ5+oygNll33S72G6DtJuc6jfDHT
/tRXfHpNdY8MBvkI2LmVcgnft2A4gA4M8nGxXV/U/KhIGDryrwXOe+X2f2yNKF+K
t+N23f1kkdrsGFelm980nnxq3SGkoMz1g42nYgtxWcnYbdln8uYDIIyGp67umbeE
I9MlRumQ00zrxDcj6Cu2NkYukAc+Er9YYGwoREKcjNfmmCgIbYfgHpDLmeT75fXI
KVampqwGm1XwCx3+9wJE3kJWl8kzOxA/HF+0AAJnX1KJhLTMg0byGHq3BG34WuFZ
09Vp3LWi2GhKiUHpTc9Doqso1bBbWpI6+1ijpFxaGiaYWWLnT5LxG1u/tQIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQAKBja/U9+T/jGOkj3Ie9isBwIZoNWSTtpHUCn8
7Yow0aV46meh8YUrOiWhPQ39Yd1It7cI1ylWgGABCfAl8A5oLKkWrP964HAIoztG
YJAVp9Or7nvv5/a/w4QmA9mz5pocgLmAOOB/tiHj0FgeF4n8aKwjl00hZHPppKM+
fc10PD+DVM1WX4Zgo3Fec0Ho7I+rOMv83lliOuVGxqZCtRJmik44z6xnSAjUg+S7
nka+OzenuoD1ClY2qfVQlC3EisqLlKxD2U57Cp/wwhw6XBzdQX1uxwFnCH5oHMdp
g/iQCQLPNG9z2IrDejUQFL188+DwY23v5h4aVzXBHUINpGL+
-----END CERTIFICATE-----

 

5) In the FortiManager, go to GUI -> Device Manager -> select the FortiGate- > Select Display Options -> Checked Certificates -> OK.

 

6) On the menu bar, select System Certificates > Import > Remote Certificates > OK.

 

fyheng_1-1640067842157.png
fyheng_0-1640067909992.png

 

7) Install the changes into the FortiGate.

 

fyheng_0-1640067233273.png

 

8) For the same cert creation in Policy & Objects module, go to GUI -> Policy & Objects -> Object Configurations -> Tools -> Display Options -> Checked CLI Only Objects -> OK.

 

9) On the menu column -> Select CLI Only Objects > Search keyword "vpn" > vpn > certificate > remote > Create New > Input the certificate content by editing the certificate with text editor > OK.

 

fyheng_0-1640137743960.png

 

10)Then you can use this cert into any of the SAML user creations, assign it to a user group, use it in the firewall policy and last install it into the FortiGate.

 

fyheng_0-1640138524553.png