Fortinet Document Library

Version:


Table of Contents

Azure Cookbook

Resources

Upgrade Path Tool

Azure Cookbook

6.2.0
Download PDF
Copy Link

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides supplementary instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode on top of initial configuration on Azure found in Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In FortiOS, upload the certificate as Complete FortiGate command-line configuration describes.
  2. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier>"

    set idp-single-sign-on-url "<Login URL>"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "<Azure username attribute>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "username"

    next

    end

    The user-name entry should match the username attribute in the Username Attributes & Claims section in the Azure portal.

    Continue FortiOS for group matching as the Azure tutorial shows.

    Configure other settings:

    config system global

    set remoteauthtimeout 60

    end

  3. Go to VPN > SSL VPN Settings. Configure as desired.

    Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLY recommended that you acquire a signed certificate for your installation.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, please review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Purchase and import a signed SSL certificate.

  4. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user that you configured in step 2.
  5. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

Resources

Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP

This guide provides supplementary instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode on top of initial configuration on Azure found in Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN.

To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
  1. In FortiOS, upload the certificate as Complete FortiGate command-line configuration describes.
  2. In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The idp-single-logout-url value has a ? mark in the string. When entering the value in the CLI, ensure you press Ctrl and V before entering ?.

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP address>/remote/saml/metadata"

    set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"

    set idp-entity-id "<Azure AD identifier>"

    set idp-single-sign-on-url "<Login URL>"

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "<Azure username attribute>"

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "ssl-azure-saml"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242/remote/saml/login"

    set single-logout-url "https://104.40.18.242/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."

    set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

    set idp-cert "<Certificate imported earlier>"

    set user-name "username"

    next

    end

    The user-name entry should match the username attribute in the Username Attributes & Claims section in the Azure portal.

    Continue FortiOS for group matching as the Azure tutorial shows.

    Configure other settings:

    config system global

    set remoteauthtimeout 60

    end

  3. Go to VPN > SSL VPN Settings. Configure as desired.

    Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLY recommended that you acquire a signed certificate for your installation.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, please review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Purchase and import a signed SSL certificate.

  4. Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user that you configured in step 2.
  5. Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)