This article describes all the processes to configure SAML in FortiProxy with FortiAuthenticator working as IdP, as well as some tips to manage the signing process of the user in the IdP portal, in order to be able to sign out of the user account and restart the authentication process.

The authentication process is described in Technical Tip: SAML authentication for explicit web proxy, but instead of FortiGate, there is a FortiProxy. Instead of Azure, FortiAuthenticator is used. 

1. The client opens a browser and visits https://www.google.com.
2. This browser session will be redirected by the web proxy to the captive portal.
3. The authentication request is redirected to FortiAuthenticator IdP's sign-in page.
4. After the user enters credentials, IdP authenticates the user and sends a SAML assertion message to the end user. This message contains the username and the group information that the user belongs to on IdP.
5. The SAML Assertion is then submitted to the Service Provider by the end user.
6. The proxy policy on FortiProxy configured with the SAML user group will authenticate the user to further allow the client access to the web. 

FortiAuthenticator:

IPs or FQDNs can be used interchangeably to call the FortiAuthenticator.

Requirements:

An IdP portal is enabled for realms. This can be configured on:

The certificate used can be the default and will be downloaded.

SP metadata is configured on FortiProxy with this format: 

Where the FQDN will be customized: fpx.[domainX.com]. 

To get IdP metadata in FortiAuthenticator, an IdP prefix on the section 'Service Providers' will be chosen by pressing '+'.

Once the IdP prefix is selected, the information is generated automatically:

SP metadata from FortiProxy will be included:

Assertion attributes are needed to identify the user and whichever attribute is needed. In this case, the group:

FortiProxy:

An FQDN will be used for the captive portal:

The explicit proxy will be configured on the entry interface (user side interface), Explicit Proxy Mode. 

SAML integration will be configured under User & Authentication -> SAML -> New, with the specified values for SP and IdP and with the remote certificate of FortiAuthenticator (as an IdP certificate):

The string 'XX/YY/ZZ' provided in the documentation is not necessary: it is generic.

The proxy authentication setting will use the captive portal and authentication scheme:

config authentication scheme

    edit "PRE-TEST"

        set method saml

        set saml-server "PRE-TEST"

    next

end

config authentication setting

    set active-auth-scheme "PRE-TEST"

    set captive-portal "Proxy_local"

end

User Groups created will be used on Policies to allow traffic for users authenticated belonging to the groups. Configuration of these user groups is as indicated in documentation.

Firewall policies and authentication rules will follow documentation guidelines. They will be the following policies:

config firewall policy

    edit 1

        set type explicit-web

        set name "SAML-Access"

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "FAC" <----- IP of FortiAuthenticator (IdP).

        set action accept

        set schedule "always"

        set service "webproxy"

        set explicit-web-proxy "web-proxy"

        set logtraffic all

    next

end

config firewall policy

    edit 2

        set type explicit-web

        set name "SAML_auth"

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "webproxy"

        set explicit-web-proxy "web-proxy"

        set utm-status enable

        set logtraffic all

        set groups "USER_GR_FAC_TEST" <----- User group for testing.

           set ssl-ssh-profile "certificate-inspection"

        set webfilter-profile "WF_GR_Test_URLs4" <----- Web filter profile.

    next

end

The really important thing is that when the user uses a browser, the IdP portal will appear on the client browser:

An https request like this will be shown:

https://10.5.62.211/saml-idp/szdxwin5fbam5xxg/login/?SAMLRequest= xxxxxxxxxx

The SAML request will be initiated and if communication between SP and IdP is successfully established, the login of the user will return the attributes required by FortiProxy to allow/deny the user on its policies. We can check this with debugging on SAML process.

Under 'SP Login Response Msg Body', username and groupname will appear with the following values:

If the IdP portal disappears when performing login and does not allow the user to sign out to restart the tests: 

FortiProxy timers for re-authentication are under "config system global" and is 10minutes by default: 
set proxy-auth-timeout 10

For more information, see proxy authentication timers. 

To repeat the login, these steps can be followed:

• De-authenticate the user on FortiProxy ('diag wad user clear').
• Clear all sessions on FortiProxy ('diag wad session clear').

However, the best option is to sign off the user in the IdP portal:

Sometimes, even after clearing cookies and browsing history, sessions still are kept and login is not re-attempted when the sign out has not been possible on the IdP portal. 

IdP Single Logout url can be useful to get the user signed off. In the example above: https://10.5.62.211/saml-idp/szdxwin5fbam5xxg/logout/

For useful troubleshooting steps, see Technical Tip: Initial steps to troubleshoot explicit proxy on FortiProxy.