Hi @fireon,

Are you getting any error messages? Are you getting redirected to the SAML login page? Please refer to this article to collect debugs: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-SAML-authenticat...

Regards, 

Thanks for the links, i will test it next week and give you feedback. 

Hello Fireon,

Have you find a way to do connect your fortigate to keycloak IDP ?

Do you have any advice to share ?

Best regards,

Julien

@fireon , @Julien_Dbs 

In case you guys have not figured it out by now anyway. Here is what I came up with when trying my own luck yesterday with this. I did not do the deep dive yet. Just wanted a working prototype and have not done any tweaks or followed best practices yet. 

1. Import your KC Realm certificate as remote certificate into gate

2. Security-Fabric - Fabric Connectors Single Sign-On Settings:

Mode Service Provider (SP)

SP address: fortigateurl.yourdomain:yourport

Default login page: up to you (would not change to sso until tested at least)

default admin profile admin_no_access (I want to provision myself)

IdP type: Custom

IdP cert: chose the previously importet one

IdP entity ID https://yourkeycloakurl/auth/realms/realmname 

IdP single sign-on URL https://yourkeycloakurl/auth/realms/realmname/protocol/saml

IdP single logout URL https://yourkeycloakurl/auth/realms/realmname/protocol/saml

OK

KeyCloak (26)

Settings:
Client-ID http://fortigateurl.yourdomain:yourport/metadata/ 

Name Up to you

Valid redirect URIs https://fortigateurl.yourdomain:yourport/* 

Master SAML Processing URL https://fortigateurl.yourdomain:yourport/saml/login

Name ID format username

Force POST binding On

Include AuthnStatement ON

Sign documents ON

Signature Algo RSA_SHA256

SAML signature key name KEY_ID

Canonicalization method EXCLUSIVE

Front channel logout On

Keys:

Signing keys config Off

Client Scopes:

remove role_list

New mapper (earlier keycloak mapper tab):

type User Property

Name username

Property username

friendly name username

SAML Attribute Name username

SAML Attribute NameFormat Unspecified

Back on fgt: system - administrators - create new - sso admin: chose a name that matches your Keycloak federated user

Works perfectly on my POC fgt.

Hope it helps you guys or whoever may come across this later on

I'm trying to enable SAML with Keycloak to authenticate outbound navigation on a VLAN using Captive Portal.

I defined all the SP (Fortigate) and IdP (Keycloak) parameters, as well as the Captive settings.

When validating, I am redirected to the Keycloak SSO login screen, I can authenticate successfully, but when I should be redirected to Fortigate, which would allow navigation, instead, I receive a message: "Firewall Authentication Failed"

In the Fortigate Debug I did not identify any error messages, nor on the Keycloak side

Did I forget something?