Fortinet SSL-VPN with Okta MFA using SAML
With the release of FortiOS 6.4 for FortiGate and FortiClient 6.4 it is now possible to create a seamless SSL-VPN solution that integrates to third party SAML SSO Identity Providers (IdP) and leverage their MFA capabilities. So VPN access can have same security level as configured in the Idp.
This links show how Fortinet explains this by using SAML to FortiAuthenticator but this could just as well be towards another SAML Identity Provider.
In this guide we are using Okta as Identity Provider.
Thanks to inspiration from what Matt Sherif did with Azure AD https://www.ultraviolet.network/post/fortigate-ssl-vpn-with-azure-mfa-using-saml
- Prerequisite
FortiGate with FortiOS 6.4.0 or higher. This guide is created using FortiOS 6.4.2.
FortiClient or FortiClientVPN 6.4.0 or higher
An Okta account
- Setting up Okta SAML 2.0 Application
Create New App.
Use the guide presented here: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/332274/configuring-the-okta-developer-account-idp-application
Note: It is not necessary to create a developer account.
Pay attention to the SAML settings. Set Application username to Email and add the Attribute Statement as shown below:
Go to the Okta SAML Identity Provider settings settings
Download the certificate and import on FortiGate
copy the Idp SSO URL to the FortiGate config, see below
copy the Idp issuer to the FortiGate config, see below
3. FortiGate Configuration
Now you have a SAMP Idp, Setup FortiGate as SAML Service Provider (SP). This is CLI only.
config user saml
edit "okta-sslvpn"
set cert "Fortinet_Factory"
set entity-id "http://<fqdn>:<port>/remote/saml/metadata/"
set single-sign-on-url "https://<fqdn>:<port>/remote/saml/login/"
set single-logout-url "https://<fqdn>:<port>/remote/saml/logout/"
set idp-entity-id "<Okta Identity Provider Issuer>"
set idp-single-sign-on-url "<Okta Identity Provider Single Sign-On URL>"
set idp-single-logout-url "https://<domain>.okta.com"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
next
end
Add the SAML user to a user group.
config user group
edit "saml_okta"
set member "okta-sslvpn"
next
end
Create the SSL VPN settings either from CLI or GUI, here is the CLI.
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "ssl_vpn_user_pool"
set port 10443
set source-interface "wan" "inside"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 2
set groups "saml_okta"
set portal "full-access"
next
end
end
Remember to create a firewall policy with the ssl interface as source an the SAML user-group as group.
config firewall policy
edit 1337
set name "SSL_VPN"
set srcintf "ssl.root"
set dstintf "virtual-wan-link" "inside"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set groups "saml_okta"
next
end
4. FortiClientVPN Configuration
FortiClientVPN 6.4.2 support SAML (tunnel-mode) tested on Windows and MacOS. Web-mode is working on multiple platforms, I have tested both IOS and MacOS.
In FortiClientVPN, create a new SSL-VPN profile, set remote gateway, customized port and set "Enable Single Sign On (SSO) for VPN Tunnel" and you are ready to go.
For the managed FortiClient this is all configured in FortiClient EMS.
5. Troubleshooting
A few words of advice. Be extra careful when entering the URLs i.e. trailing "/", embedded "?" or http/https protocols.
If it does not work, here are some good troubleshooting commands that might be useful
Debug SAML flow
diagnose debug reset
#optional #diagnose debug application httpsd -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable
Debug SSL-VPN authentication.
This one is useful to see if the Idp returns a username that is understood by the SP
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application authd -1
diagnose debug application sslvpn -1
diagnose debug enable
Another good source of debug is SAML extensions in your browser. I used these for Chrome:
SAML Chrome Panel: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace
SAML Message Decoder: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm
5. User Experience Demo
That's it, hope you liked it.