Captive portal authentication using SAML credentials

When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. You can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.

To configure SAML Authentication - GUI

Create a SAML server on a FortiGate:
1. Go to User & Authentication > Single Sign-On and click Create new.
2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.
3. When you are finished, click Submit.
Create a user group with members as the SAML server you created:
1. Go to User & Authentication > User Groups and click Create New.
2. Enter a Name for the group (saml_grp).
3. In the Remote Groups table, click Add.
4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.
Select the user group in a Captive portal VAP:
1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
2. Enter an SSID name (_CAP_SAML).
3. Ensure thatTraffic mode is set toTunnel.
4. Under Security Mode Settings, set the Security mode to Captive Portal.
5. In User groups, select the group you created (saml_grp).
6. Configure other settings as needed.
7. When you are finished, click OK.
Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:
  Incoming Interface
  Select the captive portal VAP (_CAL_SAML).
  Source
  all
  Destination
  Select the saml server.
  Action
  ACCEPT
3. Configure other settings as needed.
4. When you are finished, click OK.
5. You can only configure captive-portal-exempt from the CLI:
```
 config firewall policy
  edit 8
    set captive-portal-exempt enable
  end
```
Create a policy to let wireless clients access the outbound after passing authentication:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:
  Incoming Interface
  Select the captive portal VAP (_CAL_SAML).
  Source
  all
  Select the SAML user group (saml_grp)
  Destination
  all
  Action
  ACCEPT
3. Configure other settings as needed.
4. When you are finished, click OK.

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

To configure SAML Authentication - CLI

Create a SAML server on a FortiGate:

 config user saml
  edit "saml-fac"
    set entity-id "http://10.40.80.1:1000/saml/metadata/"
    set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
    set single-logout-url "https://10.40.80.1:1003/saml/logout/"
    set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
    set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
    set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
    set idp-cert "REMOTE_Cert_2"
    set user-name "username"
    set group-name "group"
    set digest-method sha1
  next
end

Create a user group with members as the SAML server you created:

config user group
  edit "saml_grp"
    set member "saml-fac"
  next
end

Select the user group in a Captive portal VAP:

config wireless-controller vap
  edit "wifi4"
    set ssid "_CAP_SAML"
    set security captive-portal
    set selected-usergroups "saml_grp"
    set security-exempt-list "wifi4-exempt-list"
    set security-redirect-url "http://www.example.com"
    set schedule "always"
  next
end

Create 2 policies from VAP to outbound:

One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

The firewall policy ID is 8, the name is "exempt"

config firewall policy
  edit 8
    set name "exempt"
    set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "saml"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set comments "Exempt policy"
    set captive-portal-exempt enable
  next
  edit 6
    set name "cap2"
    set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set groups "saml_grp"
  next
end

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

Captive portal authentication using SAML credentials

To configure SAML Authentication - GUI

Create a SAML server on a FortiGate:
1. Go to User & Authentication > Single Sign-On and click Create new.
2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.
3. When you are finished, click Submit.
Create a user group with members as the SAML server you created:
1. Go to User & Authentication > User Groups and click Create New.
2. Enter a Name for the group (saml_grp).
3. In the Remote Groups table, click Add.
4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.
Select the user group in a Captive portal VAP:
1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
2. Enter an SSID name (_CAP_SAML).
3. Ensure thatTraffic mode is set toTunnel.
4. Under Security Mode Settings, set the Security mode to Captive Portal.
5. In User groups, select the group you created (saml_grp).
6. Configure other settings as needed.
7. When you are finished, click OK.
Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:
  Incoming Interface
  Select the captive portal VAP (_CAL_SAML).
  Source
  all
  Destination
  Select the saml server.
  Action
  ACCEPT
3. Configure other settings as needed.
4. When you are finished, click OK.
5. You can only configure captive-portal-exempt from the CLI:
```
 config firewall policy
  edit 8
    set captive-portal-exempt enable
  end
```
Create a policy to let wireless clients access the outbound after passing authentication:
1. Go to Policy & Objects > Firewall Policy and click Create New.
2. Configure the following:
  Incoming Interface
  Select the captive portal VAP (_CAL_SAML).
  Source
  all
  Select the SAML user group (saml_grp)
  Destination
  all
  Action
  ACCEPT
3. Configure other settings as needed.
4. When you are finished, click OK.

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

To configure SAML Authentication - CLI

Create a SAML server on a FortiGate:

 config user saml
  edit "saml-fac"
    set entity-id "http://10.40.80.1:1000/saml/metadata/"
    set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
    set single-logout-url "https://10.40.80.1:1003/saml/logout/"
    set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
    set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
    set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
    set idp-cert "REMOTE_Cert_2"
    set user-name "username"
    set group-name "group"
    set digest-method sha1
  next
end

Create a user group with members as the SAML server you created:

config user group
  edit "saml_grp"
    set member "saml-fac"
  next
end

Select the user group in a Captive portal VAP:

config wireless-controller vap
  edit "wifi4"
    set ssid "_CAP_SAML"
    set security captive-portal
    set selected-usergroups "saml_grp"
    set security-exempt-list "wifi4-exempt-list"
    set security-redirect-url "http://www.example.com"
    set schedule "always"
  next
end

Create 2 policies from VAP to outbound:

One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

The firewall policy ID is 8, the name is "exempt"

config firewall policy
  edit 8
    set name "exempt"
    set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "saml"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set comments "Exempt policy"
    set captive-portal-exempt enable
  next
  edit 6
    set name "cap2"
    set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set groups "saml_grp"
  next
end

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

Incoming Interface	Select the captive portal VAP (_CAL_SAML).
Source	all
Destination	Select the saml server.
Action	ACCEPT