Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @fireon
Have you checked the below documentation this is used with FMG/FAZ, but it may help to crosscheck with your configurations.
Hi @fireon,
Are you getting any error messages? Are you getting redirected to the SAML login page? Please refer to this article to collect debugs: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-SAML-authenticat...
Regards,
Thanks for the links, i will test it next week and give you feedback.
Hello Fireon,
Have you find a way to do connect your fortigate to keycloak IDP ?
Do you have any advice to share ?
Best regards,
Julien
Unfortunately not. I also tried to solve it directly with Fortis Support. It is certainly possible, but this would probably require bringing Forti + Keycloak/Univention together and letting them work.
In case you guys have not figured it out by now anyway. Here is what I came up with when trying my own luck yesterday with this. I did not do the deep dive yet. Just wanted a working prototype and have not done any tweaks or followed best practices yet.
1. Import your KC Realm certificate as remote certificate into gate
2. Security-Fabric - Fabric Connectors Single Sign-On Settings:
Mode Service Provider (SP)
SP address: fortigateurl.yourdomain:yourport
Default login page: up to you (would not change to sso until tested at least)
default admin profile admin_no_access (I want to provision myself)
IdP type: Custom
IdP cert: chose the previously importet one
IdP entity ID https://yourkeycloakurl/auth/realms/realmname
IdP single sign-on URL https://yourkeycloakurl/auth/realms/realmname/protocol/saml
IdP single logout URL https://yourkeycloakurl/auth/realms/realmname/protocol/saml
OK
KeyCloak (26)
Settings:
Client-ID http://fortigateurl.yourdomain:yourport/metadata/
Name Up to you
Valid redirect URIs https://fortigateurl.yourdomain:yourport/*
Master SAML Processing URL https://fortigateurl.yourdomain:yourport/saml/login
Name ID format username
Force POST binding On
Include AuthnStatement ON
Sign documents ON
Signature Algo RSA_SHA256
SAML signature key name KEY_ID
Canonicalization method EXCLUSIVE
Front channel logout On
Keys:
Signing keys config Off
Client Scopes:
remove role_list
New mapper (earlier keycloak mapper tab):
type User Property
Name username
Property username
friendly name username
SAML Attribute Name username
SAML Attribute NameFormat Unspecified
Back on fgt: system - administrators - create new - sso admin: chose a name that matches your Keycloak federated user
Works perfectly on my POC fgt.
Hope it helps you guys or whoever may come across this later on
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.