Technical Tip: SAML SSO user group setup for a managed FortiGate

vraev · ‎06-16-2023

Description

This article describes how to set up an SAML SSO user group with FortiManager on a managed FortiGate (SP role) that can be used for SSL VPN, Firewall Policies, and other purposes.

The example below uses the same FortiManager as an Identity Provider (IdP), but the steps are similar for other IdP solutions.

Scope

FortiManager.

Solution

Step 1: Note the SP URLs of the FortiGate. Normally, these will be similar to the following:

entity-id http://<IP-or-FQDN>:<port*>/remote/saml/metadata/
single-sign-on-url https://<IP-or-FQDN>:<port*>/remote/saml/login
single-logout-url https://<IP-or-FQDN>:<port*>/remote/saml/logout

Make sure to include the correct port numbers if they differ from the standard HTTP/S ports.

Step 2: On the IdP side, create an SP/Application (4) using the FortiGate URLs from Step 1 to generate the SP-specific IdP URLs.
Next, copy the IdP URLs and save them for later use.

Step 3: Download the IdP certificate from FortiManager -> System Settings -> SAML SSO -> IdP Certificate -> Download.

Step 4: The IdP certificate from Step 3 must be uploaded to the SP FortiGate(s).
This can be done via Policy & Objects -> Object Configurations -> CLI Only Objects -> VPN -> Certificate -> Remote.

If the CLI Only Objects are not visible under the current view, enable the option Tools -> Display Options.
Open the certificate file downloaded in Step 3 and open it with Notepad or a similar text editor.

By default, it needs to be set as 'global'. The remote represents the Certificate chain. Open the certificate under Notepad and copy the chain.

After, copy the certificate and paste it in the 'remote' text box (7):

Step 5: Under Policy & Objects -> Object Configurations -> User & Authentication -> SAML Servers, select Create New (server entry).
Use the SP URLs from Step 1 as SP Settings and the IdP URLs from Step 2 as IdP settings in the new SAML server object.
From the 'Certificate' drop-down list of the SP Settings, select No Certificate. (An SP certificate can be also used to sign the SAML requests if required, but this is an optional setting which is skipped in this example for simplification.)
From the 'Certificate' drop-down list of the IdP Settings, select the Remote Certificate created in Step 4.

Step 6: Create a Firewall-type User Group using this SAML Server object as a Remote Authentication Server.
Go to Policy & Objects (1) -> Object Configurations (2) -> User & Authentication (3) -> User Groups (4) -> Create New -> Firewall group (5).
Then, under 'Remote Authentication Servers', select Create New (6) and add the SAML Server from the drop-down menu (7).
Optionally, select 'Group Name' values (8).

If specified, this Group Name should appear as a value in the group claim of the SAML assertion to match the user group on the FortiGate side.

Step 7: Use the new group in a Firewall Policy, SSL-VPN Portal Mapping, or other applicable purpose.
After, install the Policy Package on the respective FortiGate.

Troubleshooting:

Troubleshooting Tip: Solving the 'copy' error that occurs while installing the policy package

Technical Tip: SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options

Technical Tip: FortiGate SAML authentication resource list

Check to ensure there is enough free space and that the memory and IO are at the normal rate. Use the following CLI command:

get system performance

If there is an unwanted change during the installation (installation preview) such as the configuration below:

config user saml
edit "azure"
unset auth-url
next
end

Go to Policy & Objects -> Object Configurations -> CLI Only Objects -> Objects -> user -> saml -> Name of the object -> Edit.

Add the missing setting under the 'auth-url'. Select OK and Save if it is in Workspace mode, then start a new Installation.

Related documents:

Technical Tip: Creating of script to insert the CA and Local certificate and change the FortiGate GU...