Technical Tip: Configure group based policies for SAML users

mturic · ‎08-28-2020

Description
Importing a single SAML user in FortiGate (when the FortiGate is configured as SP) as it would be done for RADIUS or LDAP users is not possible.
In this case group based policies cannot be given for particular users.

This article describes how to configure group based policies for SAML users.

Solution
IDP replies with all the attributes configured in its SAML login response.
In that it sends user and group name configured in the IDP.
FortiGate has to understand or parse the same group name.

Example:
In the below configuration, FortiGate is SP and OKTA is IDP.

Okta's User & Group Configuration.

Go to Admin Console -> Directory -> Groups.

Attribute Shared by Okta.

FortiGate SAML Configuration.

1) Setup SAML.

# config user saml
    edit "ssl-okta-saml"
        set cert "Fortinet_Factory"
        set entity-id "https://10.5.22.142:10443/remote/saml/metadata"
        set single-sign-on-url "https://10.5.22.142:10443/remote/saml/login"
        set single-logout-url "https://10.5.22.142:10443/remote/saml/logout"
        set idp-entity-id "http://www.okta.com/exks2hhgncBmroVhK4x6"
        set idp-single-sign-on-url "https://dev-586321.okta.com/app/fortinettechnologiesdev586321_sslsamltest_1/exks2hhgncBmroVhK4x6/sso/saml"
        set idp-single-logout-url "https://dev-586321.okta.com/app/fortinettechnologiesdev586321_sslsamltest_1/exks2hhgncBmroVhK4x6/slo/saml"
        set idp-cert "REMOTE_Cert_1"
        set user-name "Username"
        set group-name "Groups"
    next
end
2) Setup User Group.
# config user group
edit "SAML-1"
        set member "ssl-okta-saml"
        config match
            edit 1
                set server-name "ssl-okta-saml"
                set group-name "SSL-SAML"                                                             <----- This matches with the Okta's (IDP) Group Name.
            next
        end

Note: Firewall policy and SSL VPN setting can be configured with the configured user group name.

SAML & SSL Debug Output.
samld_send_common_reply [123]:     Attr: 17, 27, magic=c2ecacb51a5448ef
samld_send_common_reply [120]:     Attr: 10, 33, 'Username' 'patras@fortinet.com'                <----- User name.
samld_send_common_reply [120]:     Attr: 10, 20, 'Groups' 'Everyone'
samld_send_common_reply [120]:     Attr: 10, 20, 'Groups' 'SSL-SAML'                             <----- Group Name.
samld_send_common_reply [123]:     Attr: 11, 1138, https://xxx.com
[13196:root:e0]stmt: Username
[13196:root:e0]fsv_saml_login_response:429 Got saml username: patras@fortinet.com.
[13196:root:e0]stmt: Groups
[13196:root:e0]fsv_saml_login_response:436 Got group username: Everyone.
[13196:root:e0]stmt: Groups
[13196:root:e0]fsv_saml_login_response:436 Got group username: SSL-SAML.
[13196:root:e0]fsv_saml_auth_group:259 find a remote match group: SSL-SAML, portal: full-access, group: SAML-1.
[13196:root:e0]fsv_saml_auth_group:280 saml client cert: 0.
[13196:root:e0]fsv_saml_auth_group:286 add saml group info name.
[13196:root:e0]rmt_web_session_create:827 create web session, idx[0]
[13196:root:e0]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
[13196:root:e0]deconstruct_session_id:426 decode session id ok, user=[patras@fortinet.com],group=[SAML-1],authserver=[],portal=[full-access],host=[172.26.137.30],realm=[],idx=0,auth=256,sid=21af6b6c,login=1598592111,access=1598592111,saml_logout_url=no

FGT-1 # get vpn ssl monitor
SSL VPN Login Users:
Index                 User                     Group    Auth Type      Timeout         From                HTTP in/out    HTTPS in/out
   0       patras@fortinet.com      SAML-1       256(1)             190        172.26.137.30              0/0                    0/0
The same configuration can be followed for every other supported SAML IDP like Azure or ADFS.

Related Articles
Technical Tip: Configuring SAML SSO login for SSL VPN web mode with OKTA acting as SAML IdP