Outbound firewall authentication with Microsoft Entra ID as a SAML IdP
In this example, users are managed through Microsoft Entra ID (formerly Azure Active Directory). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Microsoft Entra ID as a SAML identity provider (IdP).
The SAML interaction occurs as follows:
-
The user initiates web traffic to the internet.
-
The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP.
-
The user connects to the Microsoft log in page for the SAML authentication request.
-
The SAML IdP sends the SAML assertion containing the user and group.
-
The browser forwards the SAML assertion to the SAML SP.
-
If the user and group are allowed by the FortiGate, the user is allowed to access the internet.
In this example environment, a user is added in the Microsoft Entra ID belonging to the security group called Firewall.
-
Username: John Locus
-
User login: jlocus@azure.kldocs.com
-
Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)
The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.
Configuring the Microsoft Entra ID
The following Microsoft Entra ID configuration demonstrates how to add the FortiGate as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Microsoft Entra IdP. Some steps are performed concurrently on the FortiGate.
This example is configured with an Microsoft Entra ID free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Entra ID documentation for more information. |
There are three steps to configure the Microsoft Entra ID:
-
Configure the SAML SSO settings on the application and FortiGate.
-
Assign Microsoft Entra ID users and groups to the application.
To create a new enterprise application:
-
Log in to the Azure portal.
-
In the Azure portal menu, click Microsoft Entra ID.
-
In the left-side menu go Manage > Enterprise applications.
-
Click New application.
-
Click Create your own application.
-
Enter a name for the application (SAML-FW-Auth) and select Integrate any other application you don't find in the gallery (Non-gallery).
-
Click Create.
To configure the SAML SSO settings on the application and FortiGate:
This procedure requires going back and forth between Azure and the FortiGate CLI. Leave the FortiGate CLI open for the entire procedure. |
-
On the Overview page for your new application, go to Manage > Single sign-on and select SAML as the single sign-on method.
-
The Basic SAML Configuration section in Azure describes the SAML SP entity and links that Azure will reference. Configure these settings on the FortiGate by creating a new SAML server object and defining the three SP URLs manually. The SP (IP or FQDN) addresses should be accessible by the user who is authenticating against the firewall. The port used should match the port used by the FortiGate firewall authentication captive portal. By default, this is port 1003 for HTTPS. A captive portal does not need to be configured separately. The URLs in this example use a standard convention:
config user saml edit "Entra-ID-SAML" set entity-id "http://10.1.0.1:1003/remote/saml/metadata/" set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/" set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/" next end
-
In Azure on the Set up Single Sign-On with SAML page, copy the following URLs from the FortiGate to the Basic SAML Configuration section:
From FortiGate
To Azure field
SP entity ID (
http://10.1.0.1:1003/remote/saml/metadata/
)Identifier (Entity ID), set to Default
SP single sign-on URL (
https://10.1.0.1:1003/remote/saml/login/
)Reply URL and Sign on URL
SP single logout URL (
https://10.1.0.1:1003/remote/saml/logout/
)Logout URL
-
Click Save.
-
Under the SAML Signing Certificate section, download the Base64 certificate.
-
Import the certificate from Azure on the FortiGate as the IdP certificate:
-
Go to System > Certificates and click Import > Remote Certificate.
-
Upload the certificate from Azure and click OK. The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).
-
Optionally, rename the certificate in the CLI to give it a more recognizable name:
config vpn certificate remote rename REMOTE_Cert_3 to ENTRA-IdP-Cert end
-
-
In the Set up <application name> section, copy the URLs from Azure to the FortiGate by editing the SAML server object and adding the imported IdP certificate:
From Azure
To FortiGate setting
Microsoft Entra Identifier
idp-entity-id
Login URL/Logout URL
idp-single-sign-on-url
config user saml edit "Entra-ID-SAML" set entity-id "http://10.1.0.1:1003/remote/saml/metadata/" set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/" set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/" set idp-entity-id "https://sts.windows.net/********-****-****-****-************/" set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2" set idp-cert "ENTRA-IdP-Cert" next end
-
In Azure, edit the User Attributes & Claims section. The attributes are returned in the SAML assertion, which the FortiGate uses to verify the user and group. Configuring group matching is optional.
-
Click Add new claim, name it username, and set the Source attribute to user.displayname. The source attribute can be any of the related username fields. The value of the username returned to the FortiGate will be used in logs and monitors to identify the user.
-
Click Save.
-
Click Add a group claim and in the Group Claims pane, select All groups.
-
In Advanced Options, select Customize the name of the group claim. Set the name to group.
-
Click Save. The User Attributes & Claims section displays the update settings.
-
-
On the FortiGate, update the SAML server object with the username and group created in Azure:
config user saml edit "Entra-ID-SAML" set entity-id "http://10.1.0.1:1003/remote/saml/metadata/" set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/" set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/" set idp-entity-id "https://sts.windows.net/********-****-****-****-************/" set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2" set idp-cert "ENTRA-IdP-Cert" set user-name "username" set group-name "group" set digest-method sha1 next end
To assign Microsoft Entra users and groups to the application:
-
In Azure, go to the application's Overview page.
-
Go to Manage > Users and groups and click Add user/group.
-
Click Users to select the users or groups (John Locus is selected in this example).
-
Click Assign to add the assignment.
Configuring the FortiGate
The user group, user authentication settings, and firewall policies must be configured on the FortiGate.
Configuring the user group
A user group named Azure-FW-Auth is created with the member Entra-ID-SAML.
Configuring group matching is optional, and the Object ID from Azure is needed for the config match
settings. In the Azure default directory, go to Manage > Groups and locate the Object ID for the Firewall group.
To configure the user group:
config user group edit "Azure-FW-Auth" set member "Entra-ID-SAML" config match edit 1 set server-name "Entra-ID-SAML" set group-name "62b699ce-4f80-48c0-846e-c1dfde2dc667" next end next end
Configuring the user authentication setting
When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal. After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal. If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning. Use a custom certificate that the user trusts to avoid the certificate warning.
To configure a custom certificate:
-
Go to User & Authentication > Authentication Settings.
-
For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.
Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page. This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.
To assign a CA certificate:
-
Edit the user setting:
config user setting set auth-ca-cert "Fortinet_CA_SSL" end
-
Go to System > Certificates and download the certificate.
-
Install the certificate into the client’s certificate store.
Configuring the firewall policies
Firewall policies must be configured to apply user authentication and still allow users behind the FortiGate to access the Microsoft log in portal without authentication.
To configure the firewall policies:
-
Configure a policy to allow traffic to the Microsoft Azure internet service:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Enter the following:
Name
LAN-to-AuthPortal
Incoming Interface
port3
Outgoing Interface
Underlay
Source
all
Destination
Microsoft-Azure (under Internet Service)
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enable and select NAT.
Log Allowed Traffic
Enable and select All Sessions.
-
Configure the other settings as needed.
-
Click OK.
-
-
Configure a policy to apply user authentication:
-
Click Create New and enter the following:
Name
LAN-auth-policy
Incoming Interface
port3
Outgoing Interface
Underlay
Source
all, Azure-FW-Auth
Destination
all
Schedule
always
Service
ALL
Action
ACCEPT
NAT
Enable and select NAT.
Log Allowed Traffic
Enable and select All Sessions.
-
Configure the other settings as needed.
-
Click OK.
-
Connecting from the client
When the client connects to the internet from a browser, they will be redirected to the Microsoft log in page to authenticate against the Microsoft Entra ID. The FortiGate’s authentication portal certificate should be installed on the client.
To connect from the client:
-
On the client, open a browser (such as Firefox) and go to a website. The user is redirected to the Microsoft log in page.
-
Enter the user credentials.
-
If the log in attempt is successful, the user is allowed to access the internet
Viewing logs and diagnostics
To verify user logins, go to the Dashboard > Users & Devices > Firewall Users widget, or enter the following in the CLI:
# diagnose firewall auth list 10.1.0.100, John Locus src_mac: 02:09:0f:00:03:03 type: fw, id: 0, duration: 152, idled: 7 expire: 292, allow-idle: 300 server: Entra-ID-SAML packets: in 2097 out 932, bytes: in 2208241 out 143741 group_id: 2 group_name: Azure-FW-Auth ----- 1 listed, 0 filtered ------
To verify user login logs, go to Log & Report > Events > User Events, or enter the following in the CLI:
# execute log filter category event # execute log filter field subtype user # execute log display 17 logs found. 10 logs returned. 7: date=2021-09-30 time=09:49:25 eventtime=1633020565577584390 tz="-0700" logid="0102043039" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication logon" srcip=10.1.0.100 user="John Locus" authserver="Entra-ID-SAML" action="auth-logon" status="logon" msg="User John Locus added to auth logon" 8: date=2021-09-30 time=09:49:25 eventtime=1633020565577075629 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="John Locus" group="Azure-FW-Auth" authproto="HTTPS(10.1.0.100)" action="authentication" status="success" reason="N/A" msg="User John Locus succeeded in authentication"
If user authentication is successful in Microsoft Entra ID, but their group does not match the one defined in the FortiGate user group, the user will receive a Firewall Authentication Failed message in the browser. A log is also recorded:
# execute log filter category event # execute log filter field subtype user # execute log display 1: date=2021-09-30 time=10:39:35 eventtime=1633023575381139214 tz="-0700" logid="0102043009" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication failed" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="Adam Thompson" group="N/A" authproto="HTTPS(10.1.0.100)" action="authentication" status="failure" reason="No matched SAML user or group name in auth resp" msg="User Adam Thompson failed in authentication"
If a user receives the following error message, this means the user is not assigned to the enterprise application SAML-FW-Auth in Azure.
To troubleshoot SAML issues:
# diagnose debug application samld -1 # diagnose debug enable