| Description | This article describes how to configure FortiNAC-F Captive Portal SSO with FortiAuthenticator IdP Proxy. |
| Scope | FortiNAC-F, FortiAuthenticator and Entra ID. |
| Solution |
This articles assumes that the basic configuration of FortiNAC-F and FortiAuthenticator has been completed.
Entra ID: Under Enterprise applications, select New application, select Create your own application, enter the Name for the application, and select Create.
Under App registrations, select All applications and select the previously created application.
Under Overview, copy the Application (client ID) and the Directory (tenant) ID.
Under Certificates and secrets, select New client secret, enter a Description, select an Expiry, and select Add.
Copy the secret Value.
Under Microsoft Entra ID, select Roles and administrators, search for Directory Readers, select Add assignments, select the previously created application, and select Add.
FortiAuthenticator:
Under Authentication -> Remote Auth. Servers -> OAuth, select Create New, enter a Name, select Azure Directory for OAuth source, enter the previously copied Client ID, Client Key (secret Value), Azure AD tenant ID, select Include for SSO, and select Save.
Under Authentication -> Remote Auth. Servers -> SAML, select Create New. Under Create New Remote SAML Server, enter a Name, select Proxy for Type, select HTTPS for Entity ID, and copy the Portal URL, Entity ID, and ACS (login) URL.
Under Single Logout, enable SAML single logout, and copy the SLS (logout) URL.
Entra ID:
Under Enterprise Applications, select the previously created application.
Under Overview, select Assign users and groups, select Add user/group, select None Selected, select users and/or groups, and select Assign.
Under Overview, select Set up single sign on and select SAML.
Under Basic SAML Configuration, select Edit, enter the previously copied Entity ID for Identifier (Entity ID), ACS (login) URL for Reply URL (Assertion Consumer Service URL), Portal URL for Sign on URL (Optional), SLS (logout) URL for Logout URL (Optional), and select Save.
Under Attributes & Claims, select Edit, select Add a group claim, select All groups, and select Save.
Under SAML Certificates, download Federation Metadata XML.
FortiAuthenticator:
Under IdP Metadata, select Import IdP metadata, select Upload a file, select the previously downloaded Federation Metadata XML, select Import, and deselect Strip realm from username before sending.
Under Group Membership, select Cloud, and select the previously created OAuth server.
Select Save to complete the configuration of the remote SAML server.
Under Authentication -> User Management -> Realms, select Create New, enter the realm name for Name, select the previously created remote SAML server, and select Save.
Under System -> Network -> Interfaces, select the port that will provide the SAML IdP service. Under Access Rights, enable HTTPS, enable SAML IdP, and select Save.
Under Authentication -> SAML IdP -> General, enable the SAML Identity Provider portal and enter additional SAML hosts for the Server address if required. 
Under Certificates, select a different certificate for Default IdP certificate if required. Note that this certificate will be uploaded to FortiNAC-F.
Select Save to complete the configuration.
Under Certificate Management -> End Entities -> Local Services, select the Default IdP certificate, and select Export Certificate if required.
Under Authentication -> SAML IdP -> Service Providers, select Create New. Under Create New SAML Service Provider, enter a name for SP name.
Under IdP Metadata, select the plus (+) for Create an identifier for this IdP, select Random, select OK, and download IdP metadata.
Select Save to show the SP Metadata section.
FortiNAC-F: Under Network -> Service Connectors, select Create New. Under SAML SSO, select User SAML SSO.
Under Basics, enter a Name.
Under Service Provider Settings, download the SP Metadata File.
Under Identity Provider Settings, upload the previously downloaded IdP metadata, and the previously downloaded IdP certificate.
Select OK to save the configuration of the Service Connector.
FortiAuthenticator: Under SP Metadata, select Import SP metadata, select Upload a file, select the previously downloaded SP Metadata file, select Save, and deselect SAML request must be signed by SP Certificate type.
Copy the SP ACS (login) URL, select Alternative ACS URLs, paste the previously copied SP ACS (login) URL and change actions to registration, then select Save.
Under Assertion Attributes, select Add Assertion Attributes, enter username for SAML attribute and select SAML username for User attribute.
Select Save to save the configuration of the SAML Service Provider.
Under Authentication -> SAML IdP -> User Sources, select Create New, select the previously created Realm for Realm, and select Save.
FortiNAC-F: Under Portal -> Portal Configuration, select Portal, select Configuration, select Global, select Global Properties, and select Settings. Under Login Type Options, select the previously created Service Connector for Standard User Login Type, and select Save.
Other customizations can be made to the captive portal if required.
Under System -> Settings -> Control -> Allowed Domains, select Add Domain, add each of the following domains, select OK, and select Save Settings.
Other domains or subdomains can be added to the Allowed Domains if required. The command execute tcpdump -vi port2 host <isolated-host-ip-address> and port 53 can be used to sniff the traffic between the isolated host and the FortiNAC-F port2 interface.
Rogue Device: On the Captive Portal, select User, enter Entra ID credentials, and select Continue to register the rogue device.
FortiNAC-F: Under Users & Hosts -> User Accounts, verify that the user account is created with the SSO User type.
(Optional) Additional user and group assertion attributes.
Entra ID: Under Microsoft Entra ID, select Groups, select All groups, search for a group that the user is a member of, and copy the Object ID.
FortiAuthenticator: Under Authentication -> SAML IdP -> Service Providers, select the previously created SAML Service Provider.
Under Assertion Attributes, select Add Assertion Attribute, select SAML assertion for User attribute, enter surname for SAML attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname for Custom field.
Under Assertion Attributes, select Add Assertion Attribute, select SAML assertion for User attribute, enter givenname for SAML attribute, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname for Custom field.
Under Assertion Attributes, select Add Assertion Attribute, select SAML assertion for User attribute, enter group for SAML attribute, enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups for Custom field.
Select Save to save the configuration of the SAML Service Provider.
FortiNAC-F: Under System -> Groups, select Add, enter a Name, select User for Member Type, and select OK.
Under Network -> Service Connectors, select the previously created Service Connector. Under User Group Assignment, select Custom User Group Mapping, enter group for IdP Attribute Name, select Create New, select the previously created group for User Group, enter the previously copied Object ID for IdP Attribute Value, and select OK.
Under Attribute Mapping, select Create New, enter surname for IdP Attribute Name, select Last Name for FortiNAC Attribute Name, and select OK.
Under Attribute Mapping, select Create New, enter givenname for IdP Attribute Name, select First Name for FortiNAC Attribute Name, and select OK.
Select OK to save the configuration of the Service Connector.
Under Users & Hosts -> User Accounts, select the previously created user account, select Delete, and select Yes to de-register the device.
Rogue Device: On the Captive Portal, select User, enter Entra ID credentials, and select Continue to re-register the rogue device.
FortiNAC-F: Under Users & Hosts -> User Accounts, verify that any previously configured user attributes are present.
Under System -> Groups, verify that the user is assigned to the group.
 |
