Autoconnect on logging in as an Azure AD user
You can configure FortiClient to automatically connect to a specified VPN tunnel immediately after it installs and receives its configuration from EMS. In this example, FortiClient authenticates the connection using Azure Active Directory (AD) credentials. When the user logs in to Windows using their Azure AD credentials, FortiClient silently and automatically connects to the specified VPN tunnel, without the user needing to reenter their credentials or open the FortiClient console.
The following instructions assume that you have already configured your Azure AD environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on. See Tutorial: Azure AD SSO integration with FortiGate SSL VPN.
The following configuration requires FortiOS 7.2.1 or a later version.
To create and configure app registration in Azure:
- In the Azure portal, go to Azure Active Directory > Enterprise applications.
- Select the FortiGate SSL VPN enterprise application.
- Note down the application ID and Azure domain.
- Go to Azure Active Directory > App registrations > All applications.
- Click the application that you selected in step 2.
- Go to Manage > Authentication > Add a platform > Mobile and desktop applications.
- In the Custom redirect URIs field, enter ms-appx-web://microsoft.aad.brokerplugin/, followed by the application ID that you noted. For example, if your application ID is 123456, enter ms-appx-web://microsoft.aad.brokerplugin/123456.
- Save the configuration.
To configure FortiOS:
conf user saml
edit "azure_saml"
set auth-url "https://graph.microsoft.com/v1.0/me"
next
end
To configure EMS:
- Go to Endpoint Profiles > Remote Access.
- Select the desired profile.
- In XML view, configure the following for the desired tunnel for FortiClient to automatically connect to. This example configures an SSL VPN tunnel as the tunnel that FortiClient automatically connects to. You can configure the autoconnect tunnel to be an IPsec VPN tunnel if desired:
<vpn>
<sslvpn>
<connections>
<connection>
<name>SSL VPN HQ</name>
<sso_enabled>1</sso_enabled>
<azure_auto_login>
<enabled>1</enabled>
<azure_app>
<tenant_name>Domain name obtained from the Azure portal</tenant_name>
<client_id>Application ID obtained from the Azure portal</client_id>
</azure_app>
</azure_auto_login>
<connection>
<connections>
<sslvpn>
<vpn>
- In general VPN settings, specify the desired tunnel as the autoconnect tunnel:
<vpn>
<options>
<autoconnect_tunnel>SSL VPN HQ</autoconnect_tunnel>
<autoconnect_on_install>1</autoconnect_on_install>
<options>
<vpn>
To grant permissions requests as an end user:
- As an end user, log in to an endpoint that has the profile configured in To configure EMS: applied.
- FortiClient automatically attempts to connect to the specified VPN tunnel. If this is the initial attempt to connect to this VPN tunnel, Windows displays a prompt to select the desired Azure AD account. Select the desired account.
- Windows displays a prompt for the end user to grant permissions to the Azure enterprise application configured for FortiGate SAML single sign on. Click Accept. This prompt does not display the next time that FortiClient attempts to connect to this VPN tunnel.
The prompt to grant permissions does not appear if the Azure domain or tenant administrator has already granted permission on behalf of the organization. |