FortiVoice Enterprise
FortiGate / FortiOS
FortiAnalyzer
FortiManager
FortiWeb
FortiTester
FortiAuthenticator
FortiADC
FortiSandbox
FortiWeb Manager
Configuring SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP
This guide provides instructions on using SAML SSO to authenticate against Azure Active Directory (AD) with SSL VPN SAML user via web mode.
To configure SAML SSO login for SSL VPN web mode with Azure AD acting as SAML IdP:
- In the Azure portal, create a new non-gallery enterprise application. Go to Azure Active Directory > Enterprise applications. Click New application, then Non-gallery application.
- In the newly created application, go to Single sign-on, then select SAML.
- Under SAML Signing Certificate, click Download beside Certificate (Base64).
- Under set up fortigate-saml-sso, copy the values in the Login URL, Azure AD Identifier, and Logout URL fields.
- In FortiOS, go to System > Certificates > Import > Remote Certificate. Import the Azure AD SAML certificate downloaded in step 3.
- In the FortiOS CLI, configure the SAML user. Ensure that identity provider (IdP)-related entries match the Azure-side configuration. The
idp-single-logout-urlvalue has a?mark in the string. When entering the value in the CLI, ensure you pressCtrlandVbefore entering?.config user saml
edit "ssl-azure-saml"
set cert "Fortinet_Factory"
set entity-id "https://<FortiGate IP address>/remote/saml/metadata"
set single-sign-on-url "https://<FortiGate IP address>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address>/remote/saml/logout"
set idp-entity-id "<Azure AD identifier copied in step 4>"
set idp-single-sign-on-url "<Login URL copied in step 4>"
set idp-single-logout-url "<Logout URL copied in step 4>"
set idp-cert "<Certificate imported in step 5>"
next
end
In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:
config user saml
edit "ssl-azure-saml"
set cert "Fortinet_Factory"
set entity-id "https://104.40.18.242/remote/saml/metadata"
set single-sign-on-url "https://104.40.18.242/remote/saml/login"
set single-logout-url "https://104.40.18.242/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/04e..."
set idp-single-sign-on-url "https://login.microsoftonline.com/04e047fe-93e7-4..."
set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"
set idp-cert "<Certificate imported in step 5>"
next
end
Continue to configure other settings:
config user group
edit "sslvpn"
set member "<SAML user>"
next
end
config system global
set remoteauthtimeout 60
end
- Go to VPN > SSL VPN Settings. Configure as desired.
- Go to Policy & Objects. Create a new SSL VPN firewall policy or modify an existing one to apply to the group that contains the SAML user referenced in step 6.
- Currently, a SAML user can only log in via the SSL VPN web UI portal. Log in to the portal:
- Go to https://<FortiGate IP address>:10443 in a browser.
- Click Single Sign-On.
- Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:
diagnose debug application samld -1
diagnose debug application sslvpn -1
The output should resemble the following:
[924:root:5c]req: /remote/saml/start
[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info
[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103
[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.
[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).
[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).
[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).
[924:root:0]total sslvpn policy count: 1
[924:root:5c]req: /remote/saml/login
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname
[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider
[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
[924:root:5c]rmt_web_session_create:781 create web session, idx[0]
[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$
l_logout_url=no
[924:root:5c]req: /sslvpn/portal.html
[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam
l_logout_url=yes
[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req
[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js
[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam
l_logout_url=yes
[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)
total sslvpn policy count: 1
[925:root:0]total sslvpn policy count: 1
[923:root:7b]req: /remote/logout
[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes
[923:root:7b]session removed s: 0x7f5962887000 (root)
[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no
[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service
[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0
[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)
[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0
[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)
[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0
[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)
[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0
[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)
[925:root:7a]SSL state:warning close notify (208.91.115.10)
[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)
[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)
dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)
[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)
[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)