Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

SSL VPN SAML authentication using FortiAuthenticator with OneLogin as SAML IdP

Using this example, you can set up a SAML authentication based SSL VPN configuration with OneLogin as the IdP.

FortiAuthenticator and OneLogin configurations must be set up in parallel to generate the required SAML URL and certificate information.

Following the example you can connect to an SSL VPN configured FortiGate with your account validated by OneLogin using FortiAuthenticator as an IdP proxy.

In this example:

  • FortiAuthenticator is as an IdP proxy to OneLogin, i.e., FortiAuthenticator IdP proxy receives SAML authentication requests to OneLogin and users are validated against the OneLogin user database.

  • FortiAuthenticator is as an IdP to local resources. SAML clients act as SAML SP to FortiAuthenticator. FortiAuthenticator uses local or remote databases for user authentication.

    User validation is done using OneLogin user database.

  • FortiGate is an SSL VPN gateway and acts as an SP for FortiAuthenticator.

    VPN user authentication requests are sent to FortiAuthenticator for validation.

  • OneLogin is used to create an advanced SAML custom connector.

  • OneLogin acts as an IdP for FortiAuthenticator.

Prerequisites and scope of the recipe

  1. Access to a valid OneLogin account.
  2. IP connectivity to FortiAuthenticator is already done.
  3. FortiGate SSL VPN is already configured.
  4. OneLogin MFA related configuration are beyond the scope of this recipe.

FortiGate 7.0.3 and OneLogin- SAML Custom Connector (Advanced)- SAML 2.0 are used in this recipe.

To configure SSL VPN SAML authentication with OneLogin as SAML IdP:
  1. OneLogin related configurations:
    1. Creating an OneLogin application
    2. Configuring an application on OneLogin
      1. Configuring application parameters on OneLogin
      2. Configuring SSO on OneLogin
    3. Granting user access to the application
  2. FortiAuthenticator related configurations:
    1. Configuring a remote SAML server
    2. Configuring an OneLogin realm
    3. Creating remote SAML users
    4. Configuring SAML IdP settings
    5. Configuring FortiAuthenticator replacement message
    6. Configuring FortiGate SP settings on FortiAuthenticator
  3. FortiGate related configurations:
    1. Uploading SAML IdP certificate to the FortiGate SP
    2. Creating SAML user and server
    3. Mapping SSL VPN authentication portal
    4. Increasing remote authentication timeout using FortiGate CLI
    5. Configuring a policy to allow users access to allowed network resources

SSL VPN SAML authentication using FortiAuthenticator with OneLogin as SAML IdP

Using this example, you can set up a SAML authentication based SSL VPN configuration with OneLogin as the IdP.

FortiAuthenticator and OneLogin configurations must be set up in parallel to generate the required SAML URL and certificate information.

Following the example you can connect to an SSL VPN configured FortiGate with your account validated by OneLogin using FortiAuthenticator as an IdP proxy.

In this example:

  • FortiAuthenticator is as an IdP proxy to OneLogin, i.e., FortiAuthenticator IdP proxy receives SAML authentication requests to OneLogin and users are validated against the OneLogin user database.

  • FortiAuthenticator is as an IdP to local resources. SAML clients act as SAML SP to FortiAuthenticator. FortiAuthenticator uses local or remote databases for user authentication.

    User validation is done using OneLogin user database.

  • FortiGate is an SSL VPN gateway and acts as an SP for FortiAuthenticator.

    VPN user authentication requests are sent to FortiAuthenticator for validation.

  • OneLogin is used to create an advanced SAML custom connector.

  • OneLogin acts as an IdP for FortiAuthenticator.

Prerequisites and scope of the recipe

  1. Access to a valid OneLogin account.
  2. IP connectivity to FortiAuthenticator is already done.
  3. FortiGate SSL VPN is already configured.
  4. OneLogin MFA related configuration are beyond the scope of this recipe.

FortiGate 7.0.3 and OneLogin- SAML Custom Connector (Advanced)- SAML 2.0 are used in this recipe.

To configure SSL VPN SAML authentication with OneLogin as SAML IdP:
  1. OneLogin related configurations:
    1. Creating an OneLogin application
    2. Configuring an application on OneLogin
      1. Configuring application parameters on OneLogin
      2. Configuring SSO on OneLogin
    3. Granting user access to the application
  2. FortiAuthenticator related configurations:
    1. Configuring a remote SAML server
    2. Configuring an OneLogin realm
    3. Creating remote SAML users
    4. Configuring SAML IdP settings
    5. Configuring FortiAuthenticator replacement message
    6. Configuring FortiGate SP settings on FortiAuthenticator
  3. FortiGate related configurations:
    1. Uploading SAML IdP certificate to the FortiGate SP
    2. Creating SAML user and server
    3. Mapping SSL VPN authentication portal
    4. Increasing remote authentication timeout using FortiGate CLI
    5. Configuring a policy to allow users access to allowed network resources