Fortinet white logo
Fortinet white logo

Administration Guide

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

In this example, users are managed through Microsoft Entra ID (formerly Azure Active Directory). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Microsoft Entra ID as a SAML identity provider (IdP).

The SAML interaction occurs as follows:

  1. The user initiates web traffic to the internet.

  2. The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP.

  3. The user connects to the Microsoft log in page for the SAML authentication request.

  4. The SAML IdP sends the SAML assertion containing the user and group.

  5. The browser forwards the SAML assertion to the SAML SP.

  6. If the user and group are allowed by the FortiGate, the user is allowed to access the internet.

In this example environment, a user is added in the Microsoft Entra ID belonging to the security group called Firewall.

  • Username: John Locus

  • User login: jlocus@azure.kldocs.com

  • Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)

The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.

Configuring the Microsoft Entra ID

The following Microsoft Entra ID configuration demonstrates how to add the FortiGate as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Microsoft Entra IdP. Some steps are performed concurrently on the FortiGate.

Note

This example is configured with an Microsoft Entra ID free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Entra ID documentation for more information.

There are three steps to configure the Microsoft Entra ID:

  1. Create a new enterprise application.

  2. Configure the SAML SSO settings on the application and FortiGate.

  3. Assign Microsoft Entra ID users and groups to the application.

To create a new enterprise application:
  1. Log in to the Azure portal.

  2. In the Azure portal menu, click Microsoft Entra ID.

  3. In the left-side menu go Manage > Enterprise applications.

  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application (SAML-FW-Auth) and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

To configure the SAML SSO settings on the application and FortiGate:
Note

This procedure requires going back and forth between Azure and the FortiGate CLI. Leave the FortiGate CLI open for the entire procedure.

  1. On the Overview page for your new application, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. The Basic SAML Configuration section in Azure describes the SAML SP entity and links that Azure will reference. Configure these settings on the FortiGate by creating a new SAML server object and defining the three SP URLs manually. The SP (IP or FQDN) addresses should be accessible by the user who is authenticating against the firewall. The port used should match the port used by the FortiGate firewall authentication captive portal. By default, this is port 1003 for HTTPS. A captive portal does not need to be configured separately. The URLs in this example use a standard convention:

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
        next
    end
  3. In Azure on the Set up Single Sign-On with SAML page, copy the following URLs from the FortiGate to the Basic SAML Configuration section:

    From FortiGate

    To Azure field

    SP entity ID (http://10.1.0.1:1003/remote/saml/metadata/)

    Identifier (Entity ID), set to Default

    SP single sign-on URL (https://10.1.0.1:1003/remote/saml/login/)

    Reply URL and Sign on URL

    SP single logout URL (https://10.1.0.1:1003/remote/saml/logout/)

    Logout URL

  4. Click Save.

  5. Under the SAML Signing Certificate section, download the Base64 certificate.

  6. Import the certificate from Azure on the FortiGate as the IdP certificate:

    1. Go to System > Certificates and click Import > Remote Certificate.

    2. Upload the certificate from Azure and click OK. The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).

    3. Optionally, rename the certificate in the CLI to give it a more recognizable name:

      config vpn certificate remote
          rename REMOTE_Cert_3 to ENTRA-IdP-Cert
      end
  7. In the Set up <application name> section, copy the URLs from Azure to the FortiGate by editing the SAML server object and adding the imported IdP certificate:

    From Azure

    To FortiGate setting

    Microsoft Entra Identifier

    idp-entity-id

    Login URL/Logout URL

    idp-single-sign-on-url

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
            set idp-entity-id "https://sts.windows.net/********-****-****-****-************/"
            set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2"
            set idp-cert "ENTRA-IdP-Cert"
        next
    end
  8. In Azure, edit the User Attributes & Claims section. The attributes are returned in the SAML assertion, which the FortiGate uses to verify the user and group. Configuring group matching is optional.

    1. Click Add new claim, name it username, and set the Source attribute to user.displayname. The source attribute can be any of the related username fields. The value of the username returned to the FortiGate will be used in logs and monitors to identify the user.

    2. Click Save.

    3. Click Add a group claim and in the Group Claims pane, select All groups.

    4. In Advanced Options, select Customize the name of the group claim. Set the name to group.

    5. Click Save. The User Attributes & Claims section displays the update settings.

  9. On the FortiGate, update the SAML server object with the username and group created in Azure:

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
            set idp-entity-id "https://sts.windows.net/********-****-****-****-************/"
            set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2"
            set idp-cert "ENTRA-IdP-Cert"
            set user-name "username"
            set group-name "group"
            set digest-method sha1
        next
    end
To assign Microsoft Entra users and groups to the application:
  1. In Azure, go to the application's Overview page.

  2. Go to Manage > Users and groups and click Add user/group.

  3. Click Users to select the users or groups (John Locus is selected in this example).

  4. Click Assign to add the assignment.

Configuring the FortiGate

The user group, user authentication settings, and firewall policies must be configured on the FortiGate.

Configuring the user group

A user group named Azure-FW-Auth is created with the member Entra-ID-SAML.

Configuring group matching is optional, and the Object ID from Azure is needed for the config match settings. In the Azure default directory, go to Manage > Groups and locate the Object ID for the Firewall group.

To configure the user group:
config user group
    edit "Azure-FW-Auth"
        set member "Entra-ID-SAML"
        config match
            edit 1
                set server-name "Entra-ID-SAML"
                set group-name "62b699ce-4f80-48c0-846e-c1dfde2dc667"
            next
        end
    next
end

Configuring the user authentication setting

When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal. After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal. If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning. Use a custom certificate that the user trusts to avoid the certificate warning.

To configure a custom certificate:
  1. Go to User & Authentication > Authentication Settings.

  2. For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page. This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:
  1. Edit the user setting:

    config user setting
        set auth-ca-cert "Fortinet_CA_SSL"
    end
  2. Go to System > Certificates and download the certificate.

  3. Install the certificate into the client’s certificate store.

Configuring the firewall policies

Firewall policies must be configured to apply user authentication and still allow users behind the FortiGate to access the Microsoft log in portal without authentication.

To configure the firewall policies:
  1. Configure a policy to allow traffic to the Microsoft Azure internet service:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter the following:

      Name

      LAN-to-AuthPortal

      Incoming Interface

      port3

      Outgoing Interface

      Underlay

      Source

      all

      Destination

      Microsoft-Azure (under Internet Service)

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enable and select NAT.

      Log Allowed Traffic

      Enable and select All Sessions.

    3. Configure the other settings as needed.

    4. Click OK.

  2. Configure a policy to apply user authentication:

    1. Click Create New and enter the following:

      Name

      LAN-auth-policy

      Incoming Interface

      port3

      Outgoing Interface

      Underlay

      Source

      all, Azure-FW-Auth

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enable and select NAT.

      Log Allowed Traffic

      Enable and select All Sessions.

    2. Configure the other settings as needed.

    3. Click OK.

Connecting from the client

When the client connects to the internet from a browser, they will be redirected to the Microsoft log in page to authenticate against the Microsoft Entra ID. The FortiGate’s authentication portal certificate should be installed on the client.

To connect from the client:
  1. On the client, open a browser (such as Firefox) and go to a website. The user is redirected to the Microsoft log in page.

  2. Enter the user credentials.

  3. If the log in attempt is successful, the user is allowed to access the internet

Viewing logs and diagnostics

To verify user logins, go to the Dashboard > Users & Devices > Firewall Users widget, or enter the following in the CLI:

# diagnose firewall auth list 
10.1.0.100, John Locus
        src_mac: 02:09:0f:00:03:03
        type: fw, id: 0, duration: 152, idled: 7
        expire: 292, allow-idle: 300
        server: Entra-ID-SAML
        packets: in 2097 out 932, bytes: in 2208241 out 143741
        group_id: 2
        group_name: Azure-FW-Auth
----- 1 listed, 0 filtered ------

To verify user login logs, go to Log & Report > Events > User Events, or enter the following in the CLI:

# execute log filter category event
# execute log filter field subtype user
# execute log display 
17 logs found.
10 logs returned.
7: date=2021-09-30 time=09:49:25 eventtime=1633020565577584390 tz="-0700" logid="0102043039" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication logon" srcip=10.1.0.100 user="John Locus" authserver="Entra-ID-SAML" action="auth-logon" status="logon" msg="User John Locus added to auth logon"

8: date=2021-09-30 time=09:49:25 eventtime=1633020565577075629 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="John Locus" group="Azure-FW-Auth" authproto="HTTPS(10.1.0.100)" action="authentication" status="success" reason="N/A" msg="User John Locus succeeded in authentication"

If user authentication is successful in Microsoft Entra ID, but their group does not match the one defined in the FortiGate user group, the user will receive a Firewall Authentication Failed message in the browser. A log is also recorded:

# execute log filter category event
# execute log filter field subtype user
# execute log display 
1: date=2021-09-30 time=10:39:35 eventtime=1633023575381139214 tz="-0700" logid="0102043009" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication failed" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="Adam Thompson" group="N/A" authproto="HTTPS(10.1.0.100)" action="authentication" status="failure" reason="No matched SAML user or group name in auth resp" msg="User Adam Thompson failed in authentication"

If a user receives the following error message, this means the user is not assigned to the enterprise application SAML-FW-Auth in Azure.

To troubleshoot SAML issues:
# diagnose debug application samld -1
# diagnose debug enable

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

In this example, users are managed through Microsoft Entra ID (formerly Azure Active Directory). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Microsoft Entra ID as a SAML identity provider (IdP).

The SAML interaction occurs as follows:

  1. The user initiates web traffic to the internet.

  2. The FortiGate redirects to the local captive portal port (default is 1003), then redirects the user to the SAML IdP.

  3. The user connects to the Microsoft log in page for the SAML authentication request.

  4. The SAML IdP sends the SAML assertion containing the user and group.

  5. The browser forwards the SAML assertion to the SAML SP.

  6. If the user and group are allowed by the FortiGate, the user is allowed to access the internet.

In this example environment, a user is added in the Microsoft Entra ID belonging to the security group called Firewall.

  • Username: John Locus

  • User login: jlocus@azure.kldocs.com

  • Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)

The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.

Configuring the Microsoft Entra ID

The following Microsoft Entra ID configuration demonstrates how to add the FortiGate as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Microsoft Entra IdP. Some steps are performed concurrently on the FortiGate.

Note

This example is configured with an Microsoft Entra ID free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Entra ID documentation for more information.

There are three steps to configure the Microsoft Entra ID:

  1. Create a new enterprise application.

  2. Configure the SAML SSO settings on the application and FortiGate.

  3. Assign Microsoft Entra ID users and groups to the application.

To create a new enterprise application:
  1. Log in to the Azure portal.

  2. In the Azure portal menu, click Microsoft Entra ID.

  3. In the left-side menu go Manage > Enterprise applications.

  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application (SAML-FW-Auth) and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.

To configure the SAML SSO settings on the application and FortiGate:
Note

This procedure requires going back and forth between Azure and the FortiGate CLI. Leave the FortiGate CLI open for the entire procedure.

  1. On the Overview page for your new application, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. The Basic SAML Configuration section in Azure describes the SAML SP entity and links that Azure will reference. Configure these settings on the FortiGate by creating a new SAML server object and defining the three SP URLs manually. The SP (IP or FQDN) addresses should be accessible by the user who is authenticating against the firewall. The port used should match the port used by the FortiGate firewall authentication captive portal. By default, this is port 1003 for HTTPS. A captive portal does not need to be configured separately. The URLs in this example use a standard convention:

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
        next
    end
  3. In Azure on the Set up Single Sign-On with SAML page, copy the following URLs from the FortiGate to the Basic SAML Configuration section:

    From FortiGate

    To Azure field

    SP entity ID (http://10.1.0.1:1003/remote/saml/metadata/)

    Identifier (Entity ID), set to Default

    SP single sign-on URL (https://10.1.0.1:1003/remote/saml/login/)

    Reply URL and Sign on URL

    SP single logout URL (https://10.1.0.1:1003/remote/saml/logout/)

    Logout URL

  4. Click Save.

  5. Under the SAML Signing Certificate section, download the Base64 certificate.

  6. Import the certificate from Azure on the FortiGate as the IdP certificate:

    1. Go to System > Certificates and click Import > Remote Certificate.

    2. Upload the certificate from Azure and click OK. The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).

    3. Optionally, rename the certificate in the CLI to give it a more recognizable name:

      config vpn certificate remote
          rename REMOTE_Cert_3 to ENTRA-IdP-Cert
      end
  7. In the Set up <application name> section, copy the URLs from Azure to the FortiGate by editing the SAML server object and adding the imported IdP certificate:

    From Azure

    To FortiGate setting

    Microsoft Entra Identifier

    idp-entity-id

    Login URL/Logout URL

    idp-single-sign-on-url

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
            set idp-entity-id "https://sts.windows.net/********-****-****-****-************/"
            set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2"
            set idp-cert "ENTRA-IdP-Cert"
        next
    end
  8. In Azure, edit the User Attributes & Claims section. The attributes are returned in the SAML assertion, which the FortiGate uses to verify the user and group. Configuring group matching is optional.

    1. Click Add new claim, name it username, and set the Source attribute to user.displayname. The source attribute can be any of the related username fields. The value of the username returned to the FortiGate will be used in logs and monitors to identify the user.

    2. Click Save.

    3. Click Add a group claim and in the Group Claims pane, select All groups.

    4. In Advanced Options, select Customize the name of the group claim. Set the name to group.

    5. Click Save. The User Attributes & Claims section displays the update settings.

  9. On the FortiGate, update the SAML server object with the username and group created in Azure:

    config user saml
        edit "Entra-ID-SAML"
            set entity-id "http://10.1.0.1:1003/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.0.1:1003/remote/saml/login/"
            set single-logout-url "https://10.1.0.1:1003/remote/saml/logout/"
            set idp-entity-id "https://sts.windows.net/********-****-****-****-************/"
            set idp-single-sign-on-url "https://login.microsoftonline.com/********-****-****-****-************/saml2"
            set idp-cert "ENTRA-IdP-Cert"
            set user-name "username"
            set group-name "group"
            set digest-method sha1
        next
    end
To assign Microsoft Entra users and groups to the application:
  1. In Azure, go to the application's Overview page.

  2. Go to Manage > Users and groups and click Add user/group.

  3. Click Users to select the users or groups (John Locus is selected in this example).

  4. Click Assign to add the assignment.

Configuring the FortiGate

The user group, user authentication settings, and firewall policies must be configured on the FortiGate.

Configuring the user group

A user group named Azure-FW-Auth is created with the member Entra-ID-SAML.

Configuring group matching is optional, and the Object ID from Azure is needed for the config match settings. In the Azure default directory, go to Manage > Groups and locate the Object ID for the Firewall group.

To configure the user group:
config user group
    edit "Azure-FW-Auth"
        set member "Entra-ID-SAML"
        config match
            edit 1
                set server-name "Entra-ID-SAML"
                set group-name "62b699ce-4f80-48c0-846e-c1dfde2dc667"
            next
        end
    next
end

Configuring the user authentication setting

When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal. After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal. If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning. Use a custom certificate that the user trusts to avoid the certificate warning.

To configure a custom certificate:
  1. Go to User & Authentication > Authentication Settings.

  2. For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page. This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:
  1. Edit the user setting:

    config user setting
        set auth-ca-cert "Fortinet_CA_SSL"
    end
  2. Go to System > Certificates and download the certificate.

  3. Install the certificate into the client’s certificate store.

Configuring the firewall policies

Firewall policies must be configured to apply user authentication and still allow users behind the FortiGate to access the Microsoft log in portal without authentication.

To configure the firewall policies:
  1. Configure a policy to allow traffic to the Microsoft Azure internet service:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Enter the following:

      Name

      LAN-to-AuthPortal

      Incoming Interface

      port3

      Outgoing Interface

      Underlay

      Source

      all

      Destination

      Microsoft-Azure (under Internet Service)

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enable and select NAT.

      Log Allowed Traffic

      Enable and select All Sessions.

    3. Configure the other settings as needed.

    4. Click OK.

  2. Configure a policy to apply user authentication:

    1. Click Create New and enter the following:

      Name

      LAN-auth-policy

      Incoming Interface

      port3

      Outgoing Interface

      Underlay

      Source

      all, Azure-FW-Auth

      Destination

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      Enable and select NAT.

      Log Allowed Traffic

      Enable and select All Sessions.

    2. Configure the other settings as needed.

    3. Click OK.

Connecting from the client

When the client connects to the internet from a browser, they will be redirected to the Microsoft log in page to authenticate against the Microsoft Entra ID. The FortiGate’s authentication portal certificate should be installed on the client.

To connect from the client:
  1. On the client, open a browser (such as Firefox) and go to a website. The user is redirected to the Microsoft log in page.

  2. Enter the user credentials.

  3. If the log in attempt is successful, the user is allowed to access the internet

Viewing logs and diagnostics

To verify user logins, go to the Dashboard > Users & Devices > Firewall Users widget, or enter the following in the CLI:

# diagnose firewall auth list 
10.1.0.100, John Locus
        src_mac: 02:09:0f:00:03:03
        type: fw, id: 0, duration: 152, idled: 7
        expire: 292, allow-idle: 300
        server: Entra-ID-SAML
        packets: in 2097 out 932, bytes: in 2208241 out 143741
        group_id: 2
        group_name: Azure-FW-Auth
----- 1 listed, 0 filtered ------

To verify user login logs, go to Log & Report > Events > User Events, or enter the following in the CLI:

# execute log filter category event
# execute log filter field subtype user
# execute log display 
17 logs found.
10 logs returned.
7: date=2021-09-30 time=09:49:25 eventtime=1633020565577584390 tz="-0700" logid="0102043039" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication logon" srcip=10.1.0.100 user="John Locus" authserver="Entra-ID-SAML" action="auth-logon" status="logon" msg="User John Locus added to auth logon"

8: date=2021-09-30 time=09:49:25 eventtime=1633020565577075629 tz="-0700" logid="0102043008" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication success" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="John Locus" group="Azure-FW-Auth" authproto="HTTPS(10.1.0.100)" action="authentication" status="success" reason="N/A" msg="User John Locus succeeded in authentication"

If user authentication is successful in Microsoft Entra ID, but their group does not match the one defined in the FortiGate user group, the user will receive a Firewall Authentication Failed message in the browser. A log is also recorded:

# execute log filter category event
# execute log filter field subtype user
# execute log display 
1: date=2021-09-30 time=10:39:35 eventtime=1633023575381139214 tz="-0700" logid="0102043009" type="event" subtype="user" level="notice" vd="root" logdesc="Authentication failed" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3" user="Adam Thompson" group="N/A" authproto="HTTPS(10.1.0.100)" action="authentication" status="failure" reason="No matched SAML user or group name in auth resp" msg="User Adam Thompson failed in authentication"

If a user receives the following error message, this means the user is not assigned to the enterprise application SAML-FW-Auth in Azure.

To troubleshoot SAML issues:
# diagnose debug application samld -1
# diagnose debug enable