With the release of FortiOS 6.4 for FortiGate and FortiClient 6.4 it is now possible to create a seamless SSL-VPN solution that integrates to third party SAML SSO Identity Providers (IdP) and leverage their MFA capabilities. So VPN access can have same security level as configured in the Idp.
This links show how Fortinet explains this by using SAML to FortiAuthenticator but this could just as well be towards another SAML Identity Provider.
In this guide we are using Google G Suite as Identity Provider.
Thanks to inspiration from what Matt Sherif did with Azure AD https://www.ultraviolet.network/post/fortigate-ssl-vpn-with-azure-mfa-using-saml
FortiGate with FortiOS 6.4.0 or higher. This guide is created using FortiOS 6.4.2.
FortiClient or FortiClientVPN 6.4.0 or higher
A G Suite account
Create New App.
From the Admin console to Apps->SAML apps and click "+" and "Setup my own custom app"
Copy the SSO URL
Copy the Entity ID
Download the certificate and import it on FortiGate
Enter a name e.g. FGT-SSL-VPN
Paste the ACS URL, which is: "https://<fqdn>:<port>/remote/saml/login/"
Paste the Entity ID, which is: "http://<fqdn>:<port>/remote/saml/metadata/"
Set Start URL to: "https://<fqdn>:<port>/remote/login/"
Check Signed response
Leave Name ID to Basic Information and Primary Email
Leave Name ID format to UNSPECIFIED
SAML Attribute Mapping, enter "username" and leave Basic Information and Primary Email
Finally check the configuration, should be similar to this
Now you have a SAMP Idp, Setup FortiGate as SAML Service Provider (SP). This is CLI only.
config user saml
edit "gsuite-sslvpn"
set cert "Fortinet_Factory"
set entity-id "http://<fqdn>:<port>/remote/saml/metadata/"
set single-sign-on-url "https://<fqdn>:<port>/remote/saml/login/"
set single-logout-url "https://<fqdn>:<port>/remote/saml/logout/"
set idp-entity-id "https://accounts.google.com/o/saml2?idpid=XYZ"
set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=XYZ"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
next
end
Pay attention to the "?". Before pasting the "?" press ctrl+v which allows for a "?", i.e. paste everything left of the "?" press ctrl+v then paste the rest of the url.
Create a user group ad add the saml profile as member
config user group
edit "saml_gsuite"
set member "gsuite-sslvpn"
next
end
Create the SSL VPN settings either from CLI or GUI, here is the CLI.
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "ssl_vpn_user_pool"
set port 10443
set source-interface "wan" "inside"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 2
set groups "saml_gsuite"
set portal "full-access"
next
end
end
Remember to create a firewall policy with the ssl interface as source an the SAML user-group as group.
config firewall policy
edit 1337
set name "SSL_VPN"
set srcintf "ssl.root"
set dstintf "virtual-wan-link" "inside"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set groups "saml_gsuite"
next
end
FortiClientVPN 6.4.2 support SAML (tunnel-mode) tested on Windows and MacOS. Web-mode is working on multiple platforms, I have tested both IOS and MacOS.
In FortiClientVPN, create a new SSL-VPN profile, set remote gateway, customized port and set "Enable Single Sign On (SSO) for VPN Tunnel" and you are ready to go.
For the managed FortiClient this is all configured in FortiClient EMS.
A few words of advice. Be extra careful when entering the URLs i.e. trailing "/", embedded "?" or http/https protocols.
If it does not work, here are some good troubleshooting commands that might be useful
Debug SAML flow
diagnose debug reset
#optional #diagnose debug application httpsd -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable
Debug SSL-VPN authentication.
This one is useful to see if the Idp returns a username that is understood by the SP
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application authd -1
diagnose debug application sslvpn -1
diagnose debug enable
Another good source of debug is SAML extensions in your browser. I used these for Chrome:
SAML Chrome Panel: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace
SAML Message Decoder: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm
That's it, hope you liked it.