Fortinet black logo

Version:

6.4.0
6.3.0
6.2.0

Version:

6.1.0
6.0.0
5.5.0

Table of Contents

Cookbook

6.4.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.5.0
Download PDF
Copy Link

FortiGate SSL VPN with FortiAuthenticator as SAML IdP

In this configuration, the FortiGate acts as a SAML Service Provider (SP) requesting authentication from FortiAuthenticator, which acts as a SAML Identity Provider (IdP). It connects to the Windows AD via LDAP to authenticate user requests. The FortiAuthenticator also acts as a root CA to sign certificates for the SP, IdP and FortiGate SSL VPN portal.

Users are managed in Windows AD under the Security Groups Finance and Sales. The users are:

User name

sAMAccountName

Security Group

MemberOf

Tom Smith

tsmith

Sales

CN=Sales,CN=Users,DC=fortiad,DC=info

Dan Parker

dparker

Finance

CN=Finance,CN=Users,DC=fortiad,DC=info

The following shows topology for the configuration used in this example:

The authentication process is as follows in this deployment using SSL VPN web mode:

  1. The user initiates an SSL VPN request to the FortiGate.
  2. The FortiGate sends a POST redirect to browser.
  3. Browser redirects the SAML authentication request to FortiAuthenticator.
  4. The user authenticates with FortiAuthenticator using their LDAP credentials.
  5. FortiAuthenticator sends a SAML assertion that contains the user and group authentication in a POST redirect to the SSL VPN login page.
  6. Browser sends the redirected FortiAuthenticator request that contains the SAML assertion to the FortiGate.
  7. The FortiGate consumes the assertion and provides the user with access to resources based on the defined firewall security policy.

In the case of SSL VPN tunnel mode, the communication on the user endpoint is done on the FortiClient rather than the browser.

Assumptions

  1. A policy is configured on the FortiGate using VIP to allow external users access to the FortiAuthenticator for SAML authentication. The VIP maps 10.0.3.7->10.88.0.7 on TCP/443.
  2. When using SSL VPN tunnel mode, the end user’s FortiClient is registered to the EMS server in order to license the VPN remote access module.
  3. A policy is configured on the FortiGate using VIP to allow external users access to EMS for Telemetry. The VIP maps 10.0.3.254->10.88.0.1 on TCP/8013.

FortiGate SSL VPN with FortiAuthenticator as SAML IdP

In this configuration, the FortiGate acts as a SAML Service Provider (SP) requesting authentication from FortiAuthenticator, which acts as a SAML Identity Provider (IdP). It connects to the Windows AD via LDAP to authenticate user requests. The FortiAuthenticator also acts as a root CA to sign certificates for the SP, IdP and FortiGate SSL VPN portal.

Users are managed in Windows AD under the Security Groups Finance and Sales. The users are:

User name

sAMAccountName

Security Group

MemberOf

Tom Smith

tsmith

Sales

CN=Sales,CN=Users,DC=fortiad,DC=info

Dan Parker

dparker

Finance

CN=Finance,CN=Users,DC=fortiad,DC=info

The following shows topology for the configuration used in this example:

The authentication process is as follows in this deployment using SSL VPN web mode:

  1. The user initiates an SSL VPN request to the FortiGate.
  2. The FortiGate sends a POST redirect to browser.
  3. Browser redirects the SAML authentication request to FortiAuthenticator.
  4. The user authenticates with FortiAuthenticator using their LDAP credentials.
  5. FortiAuthenticator sends a SAML assertion that contains the user and group authentication in a POST redirect to the SSL VPN login page.
  6. Browser sends the redirected FortiAuthenticator request that contains the SAML assertion to the FortiGate.
  7. The FortiGate consumes the assertion and provides the user with access to resources based on the defined firewall security policy.

In the case of SSL VPN tunnel mode, the communication on the user endpoint is done on the FortiClient rather than the browser.

Assumptions

  1. A policy is configured on the FortiGate using VIP to allow external users access to the FortiAuthenticator for SAML authentication. The VIP maps 10.0.3.7->10.88.0.7 on TCP/443.
  2. When using SSL VPN tunnel mode, the end user’s FortiClient is registered to the EMS server in order to license the VPN remote access module.
  3. A policy is configured on the FortiGate using VIP to allow external users access to EMS for Telemetry. The VIP maps 10.0.3.254->10.88.0.1 on TCP/8013.