|
In most cases, SAML authentication requires communication with an identity provider (IDP) over the Internet. If that IDP becomes unavailable or unreachable for any reason, this will make authentication impossible.
Therefore, for redundancy purposes, authentication can be set up via other means that do not require internet access such as Local firewall authentication or a locally accessible authentication server (via LDAP/RADIUS, etc.).
Note that this article does not address the steps for setting up authentication authentication methods but simply how to use them together.
For more info on setting up SAML outbound authentication, please refer to this article: Technical Tip: FortiGate SAML authentication resource list
Here are the steps for setting up an authentication method as a backup to SAML. In this scenario, we will be using local user authentication:
- Assuming that SSO config has been completed and tested to the remote IDP, create a user group for saml authentication as per the image below.
- GUI: User & Authentication -> User Groups -> Create New.
config user group
edit "test_saml_group"
set member "test_saml"
next
end
- Create a user group and a local user to be added to that group.
- GUI: User & Authentication -> User Groups -> Create New. User & Authentication -> User Definition -> Create New.
- CLI:
config user local
edit "testlocaluser"
set type password
set passwd xxxxxx
next
end
config user group
edit "test"
set member "testlocaluser"
next
end
- Having created both user groups, create a policy for outbound authentication using the SAML group. In this example, port1 is the internet-facing port and port4 is our LAN port.
config firewall policy
edit 3
set name "test_out_auth"
set srcintf "port4"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set groups "test_saml_group"
next
end
- Create a similar policy with the only difference being the user groups. Now the local user is used.
config firewall policy
edit 4
set name "test_out_auth_local"
set srcintf "port4"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
set groups "test"
next
end
- The SAML policy should be above the local authentication policy as per the image below:
- Test the authentication by generating traffic that matches the policies that have been created. Get a captive portal page that looks like below. If users select the SAML Identity provider, this should authenticate them with the SAML IDP that has been configured. If that fails, they can authenticate using the local method.
Note:
If for some reason the SAML IDP becomes unavailable, the captive portal does not remove the SAML login option.
The prompt will remain there and login will simply fail. Users will have to reload the page, return to the authentication page, and use the local authentication method.
|
