Description
This article describes how to configure SSO VPN for remote users to connect to FortiSASE.
Scope
FortiSASE, FortiClient.
Solution
This example will use the following products:
FortiSASE, FortiAuthenticator, Forticlient
In this example, FortiAuthenticator is used as the Identity Provider.
FortiSASE is used as SP and end users are connecting using FortiClient.
Installing the IDP cert on FortiSASE:
Access FortiAuthenticator, go to the Certificate Management section, and locate the End Entities under Local Services. Proceed to export the certificate from this location.
Access the FortiSASE portal, go to the System section, select Certificates, and proceed to import the certificate from FortiAuthenticator.
Configuring SAML IDP settings on FortiAuthenticator:
Go to Authentication -> SAML IdP -> General.
For Default IdP certificate, select the same certificate which was imported on FortiSASE.
Configuring SAML SP settings on FAC:
Go to Authentication -> SAML IdP -> Service Providers.
Now in another tab, connect to the FortiSASE portal and go to Configuration -> VPN User SSO.
Retrieve the Entity ID content and transfer it to the SP entity ID field within FortiAuthenticator.
Copy the Assertion Consumer Service URL content and insert it into the SP ACS (login) URL in FortiAuthenticator.
Similarly, copy the Single Log-Out URL content and paste it into the SP SLS (logout) URL field in FortiAuthenticator.
Verify that the specified SAML attributes are appropriately configured with their corresponding user attribute values.
Configure IDP configuration on FortiSase:
Connect to FortiSASE portal and go to Configuration -> VPN User SSO -> select Next to continue
On another tab, open FortiAuthenticator Authentication -> SAML IdP -> Service Providers.
Copy the IdP entity ID content and transfer it to the designated field for IdP Entity ID on the FortiSASE Portal.
Paste the IdP single sign-on URL content into the corresponding field for IdP Single Sign-On URL on the FortiSASE Portal.
Additionally, copy the IdP single logout URL content and insert it into the field for IdP Single Log-Out URL on the FortiSASE Portal.
Finally, ensure that under the IdP Certificate section, the FortiAuthenticator certificate that was previously uploaded is selected.
User Groups Fetching:
Go to Configuration -> Users & Groups -> Create New.
Select User group (Assuming all of the group has been configured in FortiAuthenticator).
Under Remote Group -> Create New, pull out the previously defined VPN SSO.
Remote User Onboarding:
Go to the FortiSASE portal's Configuration section and select VPN SSO. Retrieve the invitation code directly from the portal, following the displayed instructions:
Proceed to the Windows virtual machine, launch the FortiClient GUI, and enter the previously copied invitation code into the 'Enter Server address or Invitation code' field as instructed.
After successfully entering the invitation code, FortiClient will be registered with FortiSASE EMS. You should observe a display like the provided screenshot, particularly in the Zero Trust Telemetry section. This confirms the download of a new endpoint profile to FortiClient. This profile includes various configurations, including VPN tunnel settings that enable establishing a connection to FortiSASE.
Upon checking the dashboard in FortiSASE, the user information will be present.
