Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In the Azure portal, create a new non-gallery enterprise application. Go to Azure Active Directory > Enterprise applications. Click New application, then Non-gallery application.
  2. In the newly created application, go to Single sign-on, then select SAML.
  3. Under SAML Signing Certificate, click Download beside Certificate (Base64).
  4. Under set up fortigate-saml-sso, copy the values in the Login URL, Azure AD Identifier, and Logout URL fields.

  5. In FortiOS, go to System > Certificates > Import > Remote Certificate. Import the Azure AD SAML certificate downloaded in step 3.
  6. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier copied in step 4>"

    set idp-single-sign-on-url "<Login URL copied in step 4>"

    set idp-single-logout-url "<Logout URL copied in step 4>"

    set idp-cert "<Certificate imported in step 5>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands would be as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported in step 5>"

    next

    end

    Continue to configure other settings:

    config user group

    edit "sslvpn"

    set member "<SAML user>"

    next

    end

    config system global

    set remoteauthtimeout 60

    end

  7. Go to VPN > SSL VPN Settings. Configure as desired.
  8. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user referenced in step 6.
  9. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

Resources

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In the Azure portal, create a new non-gallery enterprise application. Go to Azure Active Directory > Enterprise applications. Click New application, then Non-gallery application.
  2. In the newly created application, go to Single sign-on, then select SAML.
  3. Under SAML Signing Certificate, click Download beside Certificate (Base64).
  4. Under set up fortigate-saml-sso, copy the values in the Login URL, Azure AD Identifier, and Logout URL fields.

  5. In FortiOS, go to System > Certificates > Import > Remote Certificate. Import the Azure AD SAML certificate downloaded in step 3.
  6. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier copied in step 4>"

    set idp-single-sign-on-url "<Login URL copied in step 4>"

    set idp-single-logout-url "<Logout URL copied in step 4>"

    set idp-cert "<Certificate imported in step 5>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands would be as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported in step 5>"

    next

    end

    Continue to configure other settings:

    config user group

    edit "sslvpn"

    set member "<SAML user>"

    next

    end

    config system global

    set remoteauthtimeout 60

    end

  7. Go to VPN > SSL VPN Settings. Configure as desired.
  8. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user referenced in step 6.
  9. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)