Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP
This guide provides supplementary instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode on top of initial configuration on Azure found in Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN.
To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
- In FortiOS, upload the certificate as Complete FortiGate command-line configuration describes.
- In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The
idp-single-logout-url
value has a?
mark in the string. When entering the value in the CLI, ensure you pressCtrl
andV
before entering?
.config user saml
edit "ssl-azure-saml"
set cert "Fortinet_Factory"
set entity-id "https://<FortiGate IP address>/remote/saml/metadata"
set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"
set idp-entity-id "<Azure AD identifier>"
set idp-single-sign-on-url "<Login URL>"
set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
set idp-cert "<Certificate imported earlier>"
set user-name "<Azure username attribute>"
next
end
In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:
config user saml
edit "ssl-azure-saml"
set cert "Fortinet_Factory"
set entity-id "https://104.40.18.242/remote/saml/metadata"
set single-sign-on-url "https://104.40.18.242/remote/saml/login"
set single-logout-url "https://104.40.18.242/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/04e..."
set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."
set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
set idp-cert "<Certificate imported earlier>"
set user-name "username"
next
end
The
user-name
entry should match the username attribute in the Username Attributes & Claims section in the Azure portal.Continue FortiOS for group matching as the Azure tutorial shows.
Configure other settings:
config system global
set remoteauthtimeout 60
end
- Go to VPN > SSL VPN Settings. Configure as desired.
Self-signed certificates are provided by default to simplify initial installation and testing. It is HIGHLY recommended that you acquire a signed certificate for your installation.
Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.
For more information, please review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Purchase and import a signed SSL certificate.
- Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user that you configured in step 2.
- Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
- Go to https://<FortiGate IP address>:10443 in a browser.
- Click Single Sign-On.
- Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:
diagnose debug application samld -1
diagnose debug application sslvpn -1
The output should resemble the following:
[924:root:5c]req: /remote/saml/start
[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info
[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103
[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).
[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).
[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).
[924:root:0]total sslvpn policy count: 1
[924:root:5c]req: /remote/saml/login
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider
[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
[924:root:5c]rmt_web_session_create:781 create web session, idx[0]
[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]req: /sslvpn/portal.html
[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam
l_logout_url=yes
[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req
[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam
l_logout_url=yes
[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)
total sslvpn policy count: 1
[925:root:0]total sslvpn policy count: 1
[923:root:7b]req: /remote/logout
[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes
[923:root:7b]session removed s: 0x7f5962887000 (root)
[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no
[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service
[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0
[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)
[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0
[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)
[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0
[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)
[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0
[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)
[925:root:7a]SSL state:warning close notify (208.91.115.10)
[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)
[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)
dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)
[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)
[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)