Description
This article describes how to enable SAML auth with G Suite.
Scope
FortiSASE (SP), G Suite (IDP), FortiSASE v23.4.17, SSO.
Solution
Login to FortiSASE account https://portal.prod.fortisase.com/ and navigate to Configuration -> Authentication Source -> VPN User SSO
Copy the SP URL in a notepad:
- Entity ID.
- Assertion Consumer Service (ACS) URL.
Now login to the G Suite admin portal https://admin.google.com navigate to App -> Web and Mobile Apps -> Add Apps -> Custom SAML Apps.
Define the name and description of the profile. Then copy the below IDP details in a notepad:
- SSO URL.
- Entity ID.
- Download the Certificate.
Fill in the SP details collected earlier, define the attribute as required (should match the claim defined in SP) leave optional setting as default, and select 'Finish'.
Ensure to enable 'turn on user access' for the SAML profile created.
Now back on the SP fill in the details collected from IDP and upload the certificate. Sign-on and Sign-out URLs are the same.
Note:
The claims for username were made to match the IDP attribute configuration.
Review the config and select 'Submit'.
Create a group and refer to the SSO config on the same.
This group (G-SAML) is further called into the policy as mentioned below.
Configuration on the FortiSASE is done, now if the client is already onboarded and the EndPoint is using the default profile as per config on FortiSASE.
SSO login is enforced, Auto connect to FortiSASE, and Force Always On VPN is enabled by default.
Complete the SSO login on the FortiClient.
It is possible to review the user-connected status.
