Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configuring FortiAuthenticator

Configure the remote servers

A remote OAuth server is used to obtain group membership from Azure AD. Later, a FortiToken can be associated with those users.

To configure the remote OAuth server:
  1. Go to Authentication > Remote Auth. Servers > OAUTH, and click Create New.
  2. Configure the following information:
    • Name: Enter a name for your OAuth server, for example: AzureCSE.
    • OAuth sourceAzure Directory.
    • Client ID: Enter your Azure Application ID.
    • Client Key: Enter your Azure key.
  3. Click OK.
To configure the remote SAML server:
  1. Go to Authentication > Remote Auth. Servers > SAML, and click Create New.
  2. Under Remote SAML Server, configure the following:
    • Name: Enter a name for the server. This name must match the server name configured in Azure. In this example, the server name is Azure_fac_as_idpproxy.
    • TypeProxy.
    • Entity ID: Select the Azure IdP option.
    • Import IdP metadata/certificate: Import the certificate that you previously exported from Azure.
    • IdP entity ID: Enter the Azure AD Identifier from your Azure configuration.
    • IdP single sign-on URL: Enter the Login URL from your Azure configuration.
  3. Under Single Logout, configure the following:
    • Enable SAML single logout: Optionally, you can enable this setting to enable SAML single logout.
    • IdP single logout URL: Enter the Logout URL from your Azure configuration.
  4. Under Username, configure the following:
    • Obtain username from:  Select Text SAML assertion and use the configured username claim URL from your Azure configuration.
  5. In Group Membership, configure the following:
    • Obtain group membership from: Select Cloud and choose your remote OAuth server. Group membership of a particular user will be retrieved dynamically through OAuth upon authentication.

  6. Click OK.

Configure the SAML IdP settings on FortiAuthenticator

To create the Azure realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Configure the following information:
    1. Name: Enter a name for your user realm, for example: azurecse
    2. User source: Select your remote SAML server as the user source.
  3. Click OK.
To enable SAML IdP on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > General, click Enable SAML Identity Provider portal, and configure the following:
    1. Server address: Enter the IP or FQDN of your FortiAuthenticator.
    2. Realms: Select the SAML realm as the default.
    3. Default IdP certificate: Select a default IdP certificate.
  2. Click OK.
    You will also need to download your IdP certificate for use later. It can be downloaded from Certificate Management > End Entities.
To add FortiGate as a SAML service provider:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Under Edit SAML Service Provider, configure the following:
    • SP name: Enter a name for this service provider, for example: fgt1sslvpn.
    • IdP prefix: Enter a custom IdP prefix or click Generate prefix to automatically populate this field.
  3. Under Assertion Attributes, configure the following:
    • Subject NameIDRemote SAML Server > Subject NameID.
    • Formaturn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
  4. Under SAML Attributes, add the following attributes. The user and group information will be propagated by the FortiAuthenticator IdP in SAML assertions to FortiGate. These must match with the user-name and group-name keywords defined for the SAML user. See Configure the SAML user.
    • Attribute 1: SAML attribute: groups,  User attribute: SAML Group membership.
    • Attribute 2: SAML attribute: username, User attribute: SAML Username.
  5. Click Save.

    Note

    Once the settings have been saved, you will see that additional options are available.

    You can return to complete the configuration of the SAML service provider settings on FortiAuthenticator once you have configured your FortiGate SAML user. You will need to enter the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL from the FortiGate configuration.

To update the SAML replacement message:
  1. Go to Authentication > SAML IdP > Replacement Messages.
  2. Select SAML IdP > Login Page, and then select idp-proxy in the Restore Default dropdown menu.
    You can now edit the content in the right pane to include the Portal URL obtained from your remote SAML server. The URL must be replaced in three places as indicated by [proxy_portal_url] in the text.

  3. Click Save.

Configure FortiToken

To include tokens in a user's authentication:
  1. Go to Authentication > User Management > Remote Users, select SAML, and click Import.
  2. Under Import Remote SAML Users, configure the following settings:
    1. Remote SAML server: Select your remote SAML server, for example: Azure_fac_as_idpproxy.
    2. Group: Select All users or choose a user group.
  3. Click OK.
  4. Edit an imported user to define the token. Enable Token-based authentication, and select your token type.
  5. Click OK.

Configuring FortiAuthenticator

Configure the remote servers

A remote OAuth server is used to obtain group membership from Azure AD. Later, a FortiToken can be associated with those users.

To configure the remote OAuth server:
  1. Go to Authentication > Remote Auth. Servers > OAUTH, and click Create New.
  2. Configure the following information:
    • Name: Enter a name for your OAuth server, for example: AzureCSE.
    • OAuth sourceAzure Directory.
    • Client ID: Enter your Azure Application ID.
    • Client Key: Enter your Azure key.
  3. Click OK.
To configure the remote SAML server:
  1. Go to Authentication > Remote Auth. Servers > SAML, and click Create New.
  2. Under Remote SAML Server, configure the following:
    • Name: Enter a name for the server. This name must match the server name configured in Azure. In this example, the server name is Azure_fac_as_idpproxy.
    • TypeProxy.
    • Entity ID: Select the Azure IdP option.
    • Import IdP metadata/certificate: Import the certificate that you previously exported from Azure.
    • IdP entity ID: Enter the Azure AD Identifier from your Azure configuration.
    • IdP single sign-on URL: Enter the Login URL from your Azure configuration.
  3. Under Single Logout, configure the following:
    • Enable SAML single logout: Optionally, you can enable this setting to enable SAML single logout.
    • IdP single logout URL: Enter the Logout URL from your Azure configuration.
  4. Under Username, configure the following:
    • Obtain username from:  Select Text SAML assertion and use the configured username claim URL from your Azure configuration.
  5. In Group Membership, configure the following:
    • Obtain group membership from: Select Cloud and choose your remote OAuth server. Group membership of a particular user will be retrieved dynamically through OAuth upon authentication.

  6. Click OK.

Configure the SAML IdP settings on FortiAuthenticator

To create the Azure realm:
  1. Go to Authentication > User Management > Realms, and click Create New.
  2. Configure the following information:
    1. Name: Enter a name for your user realm, for example: azurecse
    2. User source: Select your remote SAML server as the user source.
  3. Click OK.
To enable SAML IdP on FortiAuthenticator:
  1. Go to Authentication > SAML IdP > General, click Enable SAML Identity Provider portal, and configure the following:
    1. Server address: Enter the IP or FQDN of your FortiAuthenticator.
    2. Realms: Select the SAML realm as the default.
    3. Default IdP certificate: Select a default IdP certificate.
  2. Click OK.
    You will also need to download your IdP certificate for use later. It can be downloaded from Certificate Management > End Entities.
To add FortiGate as a SAML service provider:
  1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
  2. Under Edit SAML Service Provider, configure the following:
    • SP name: Enter a name for this service provider, for example: fgt1sslvpn.
    • IdP prefix: Enter a custom IdP prefix or click Generate prefix to automatically populate this field.
  3. Under Assertion Attributes, configure the following:
    • Subject NameIDRemote SAML Server > Subject NameID.
    • Formaturn:oasis:names:tc:SAML:2.0:nameid-format:unspecified.
  4. Under SAML Attributes, add the following attributes. The user and group information will be propagated by the FortiAuthenticator IdP in SAML assertions to FortiGate. These must match with the user-name and group-name keywords defined for the SAML user. See Configure the SAML user.
    • Attribute 1: SAML attribute: groups,  User attribute: SAML Group membership.
    • Attribute 2: SAML attribute: username, User attribute: SAML Username.
  5. Click Save.

    Note

    Once the settings have been saved, you will see that additional options are available.

    You can return to complete the configuration of the SAML service provider settings on FortiAuthenticator once you have configured your FortiGate SAML user. You will need to enter the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL from the FortiGate configuration.

To update the SAML replacement message:
  1. Go to Authentication > SAML IdP > Replacement Messages.
  2. Select SAML IdP > Login Page, and then select idp-proxy in the Restore Default dropdown menu.
    You can now edit the content in the right pane to include the Portal URL obtained from your remote SAML server. The URL must be replaced in three places as indicated by [proxy_portal_url] in the text.

  3. Click Save.

Configure FortiToken

To include tokens in a user's authentication:
  1. Go to Authentication > User Management > Remote Users, select SAML, and click Import.
  2. Under Import Remote SAML Users, configure the following settings:
    1. Remote SAML server: Select your remote SAML server, for example: Azure_fac_as_idpproxy.
    2. Group: Select All users or choose a user group.
  3. Click OK.
  4. Edit an imported user to define the token. Enable Token-based authentication, and select your token type.
  5. Click OK.