Fortinet Document Library

Version:


Table of Contents

Azure Administration Guide

6.2.0
Download PDF
Copy Link

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides supplementary instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode on top of initial configuration on Azure found in Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In FortiOS, upload the certificate as Complete FortiGate command-line configuration describes.
  2. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier>"

    set idp-single-sign-on-url "<Login URL>"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "<Azure username attribute>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "username"

    next

    end

    The user-name attribute configured on the FortiGate entry should exactly match the username attribute returned by Azure AD. You can configure the list of SAML attributes returned by Azure AD under Username Attributes & Claims in the Azure portal.

    FortiGate can map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Azure Active Directory Group ObjectId, using the set group-name command:

    config user group

    edit "saml-innovcenter"

    set member "sslvpnazuread"

    config match

    edit 1

    set server-name "sslvpnazuread"

    set group-name "8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2"

    next

    end

    next

    end

    You can find the full list of group claims in Configure group claims for applications with Azure Active Directory.

    Ensure that the configured group-name attribute on the FortiGate exactly matches the user.groups claim name in the Azure AD portal. See the set group-name command in the following:

    config user saml

    edit "sslvpnazuread"

    set cert "fgt_az_saml"

    set entity-id "https://vpnportal.az.ftntcloudpoc.net/remote/saml/metadata"

    set single-sign-on-url "https://vpnportal.az.ftntcloudpoc.net/remote/saml/login"

    set single-logout-url "https://vpnportal.az.ftntcloudpoc.net/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"

    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0"

    set idp-cert "AzureAD_innovcenter"

    set user-name "Username"

    set group-name "UserGroup"

    next

    end

    Configure other settings:

    config system global

    set remoteauthtimeout 60

    end

  3. Go to VPN > SSL VPN Settings. Configure as desired.

    Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLY recommended that you acquire a signed certificate for your installation.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, please review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Purchase and import a signed SSL certificate.

  4. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user that you configured in step 2.
  5. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides supplementary instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode on top of initial configuration on Azure found in Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In FortiOS, upload the certificate as Complete FortiGate command-line configuration describes.
  2. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier>"

    set idp-single-sign-on-url "<Login URL>"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "<Azure username attribute>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "username"

    next

    end

    The user-name attribute configured on the FortiGate entry should exactly match the username attribute returned by Azure AD. You can configure the list of SAML attributes returned by Azure AD under Username Attributes & Claims in the Azure portal.

    FortiGate can map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Azure Active Directory Group ObjectId, using the set group-name command:

    config user group

    edit "saml-innovcenter"

    set member "sslvpnazuread"

    config match

    edit 1

    set server-name "sslvpnazuread"

    set group-name "8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2"

    next

    end

    next

    end

    You can find the full list of group claims in Configure group claims for applications with Azure Active Directory.

    Ensure that the configured group-name attribute on the FortiGate exactly matches the user.groups claim name in the Azure AD portal. See the set group-name command in the following:

    config user saml

    edit "sslvpnazuread"

    set cert "fgt_az_saml"

    set entity-id "https://vpnportal.az.ftntcloudpoc.net/remote/saml/metadata"

    set single-sign-on-url "https://vpnportal.az.ftntcloudpoc.net/remote/saml/login"

    set single-logout-url "https://vpnportal.az.ftntcloudpoc.net/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"

    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0"

    set idp-cert "AzureAD_innovcenter"

    set user-name "Username"

    set group-name "UserGroup"

    next

    end

    Configure other settings:

    config system global

    set remoteauthtimeout 60

    end

  3. Go to VPN > SSL VPN Settings. Configure as desired.

    Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLY recommended that you acquire a signed certificate for your installation.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, please review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Purchase and import a signed SSL certificate.

  4. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user that you configured in step 2.
  5. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)