SAML support for SSL VPN
FortiClient supports SAML authentication for SSL VPN. FortiClient can use a SAML identity provider (IdP) to authenticate an SSL VPN connection. You can configure a FortiGate as a service provider (SP) and a FortiAuthenticator or FortiGate as an IdP. The end user uses FortiClient with the SAML SSO option to establish an SSL VPN tunnel to the FortiGate.
This process is as follows:
- The EMS administrator or end user configures an SSL VPN connection with SAML SSO enabled.
- FortiClient connects to the FortiGate.
- The FortiGate returns a redirect link to the SAML IdP authorization page.
- FortiClient displays the IdP authorization page in an embedded browser window.
- The end user enters their credentials in the window to log in.
- Once the login attempt succeeds, FortiClient establishes a tunnel to the FortiGate.
This example configures a FortiGate as the SP and FortiAuthenticator as the IdP.
To configure the FortiGate as the SP:
- Configure the FortiGate SP to be a SAML user. You must configure the IdP remote certificate from FortiAuthenticator on the FortiGate:
config user saml
edit "saml-user"
set cert "Fortinet_Factory"
set entity-id "http://172.17.61.59:11443/remote/saml/metadata/"
set single-sign-on-url "https://172.17.61.59:11443/remote/saml/login/"
set single-logout-url "https://172.17.61.59:11443/remote/saml/logout/"
set idp-entity-id "http://172.17.61.118:443/saml-idp/101087/metadata/"
set idp-single-sign-on-url "https://172.17.61.118:443/saml-idp/101087/login/"
set idp-single-logout-url "https://172.17.61.118:443/saml-idp/101087/logout/"
set idp-cert "REMOTE_Cert_4"
next
end
- Add the SAML user to the user group:
config user group
edit "saml_grp"
set member "saml-user"
next
end
- Set the SAML group in SSL VPN settings:
config vpn ssl settings
config authentication-rule
edit 1
set groups "saml-group"
set portal "full-access"
next
next
end
To configure FortiAuthenticator as the IdP:
- In FortiAuthenticator, go to Authentication > SAML IdP > Service Providers.
- Click Create New.
- Configure as desired, then click OK.
- To add a local user, go to Authentication > User Management > Local User, then click Create New. Configure the local user as desired.
- To import RADIUS users, go to Authentication > User Management > Remote User > RADIUS Users. Import the desired RADIUS server.
- To import LDAP users, go to Authentication > User Management > Remote User > LDAP Users. Import the desired LDAP server.
To configure SAML SSO authentication for FortiClient:
- To configure SAML SSO authentication for a corporate VPN tunnel in EMS, go to Endpoint Profiles and select the desired profile. On the XML Configuration tab, configure
<sso_enabled>1</sso_enabled>
for the desired tunnel. EMS 6.4.0 does not support GUI implementation for this feature. - To configure SAML SSO authentication for a personal VPN tunnel in FortiClient, on the Remote Access tab, edit or create a new VPN tunnel. Select the Enable Single Sign On (SSO) for VPN Tunnel checkbox.
To connect to a VPN tunnel using SAML authentication:
- In FortiClient, on the Remote Access tab, from the VPN Name dropdown list, select the desired VPN tunnel.
- Click SAML Login.
- FortiClient displays an IdP authorization page in an embedded browser window. Enter your login credentials. Click Login. Once authenticated, FortiClient establishes the SSL VPN tunnel.