Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    Home FortiClient 7.2.0 New Features
    7.2.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.3
    6.2.2
    6.2.1
    6.2.0

    SAML authentication for VPN before logon 7.2.5

    SAML authentication for VPN before logon 7.2.5

    With SAML authentication for IPsec and SSL VPN before logon, you can connect to VPN before signing in to Windows, improving ease of access.

    The following example uses FortiOS 7.2.8 with FortiClient and EMS 7.2.5.

    Use case: SAML authentication with FortiAuthenticator as IdP

    The following instructions that FortiAuthenticator has already been configured to support SAML login.

    To configure SAML authentication with FortiAuthenticator as IdP:
    1. Configure the VPN settings in FortiOS:
      config vpn ipsec phase1-interface
    edit "ikeV2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256 aes128-sha256
        set comments "VPN: ikeV2 (Created by VPN wizard)"
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set authusrgrp "saml-group"
        set ipv4-start-ip 10.20.30.1
        set ipv4-end-ip 10.20.30.250
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC y1+jieyn2rEnylBuykQQjPDIVG2dP9RraKl5lhOHrZZyn7rBh4lmUUQ+wYYQhdicxM/VnxCFqjQj5JvdYLeB4j/j+9CSGWlRxNZnpaaoUgjZhWxqVhU2pGxZfyBtOSwvtCq8bMcAKrtZbnbr+o/5WrbUZ51AXcJP9R5fW7qR4J3n7ZvRTBWEZ0EJmPoXiGd77iQqQQ==
    next 
end
config vpn ipsec phase2-interface
    edit "ikeV2"
        set phase1name "ikeV2"
        set proposal aes256-sha256 aes128-sha256
        set dhgrp 5
        set comments "VPN: ikeV2 (Created by VPN wizard)"
    next
end
config system global
    set auth-ike-saml-port 10428
end
config user saml
    edit "IPSec-FAC"
        set cert "Fortinet_Factory"
        set entity-id "https://fgt.example.com:10428/remote/saml/metadata/"
        set single-sign-on-url "https://fgt.example.com:10428/remote/saml/login/"
        set single-logout-url "https://fgt.example.com:10428/remote/saml/logout/"
        set idp-entity-id "http://fac.example.com/saml-idp/1111/metadata/"
        set idp-single-sign-on-url "https://fac.example.com/saml-idp/1111/login/"
        set idp-single-logout-url "https://fac.example.com/saml-idp/1111/logout/"
        set idp-cert "REMOTE_Cert_8"
        set user-name "username"
        set group-name "saml-group"
        set digest-method sha1
    next
end
    2. In EMS, configure the VPN settings:
      1. Go to Endpoint Profiles > Remote Access.
      2. Create a new profile or edit an existing one.
      3. Under General, enable Show VPN before Logon.
      4. Under VPN Tunnels, click Add Tunnel.
      5. Select Manual. Click Next.
      6. If available, under Type, select IPsec VPN.
      7. In Advanced Settings, toggle on Enable SAML Login.
      8. In the SAML Port field, enter 10428, the same port that you configured in FortiOS.

      9. Configure the tunnel to match the settings that you configured in FortiOS. Click Save.
    3. On the endpoint, if required, add the FortiAuthenticator FQDN as an entry in the hosts file if required.
    4. After the endpoint receives the profile updates from EMS, restart the endpoint.
    5. On the login page, under Sign-in options, select the VPN option.
    6. Enter the Windows login credentials.
    7. A SAML authentication dialog displays after the certificate warning. Enter your SAML login credentials. After a successful login, FortiClient connects to the IPsec VPN tunnel successfully.

    Use case: SAML authentication with Microsoft Entra ID as IdP

    In this example, the endpoint is already joined to a Microsoft Entra ID domain.

    To log in using SAML authentication with Microsoft Entra ID as IdP:
    1. After the endpoint receives the profile updates from EMS, restart the endpoint.
    2. On the login page, under Sign-in options, select the VPN option.
    3. A SAML authentication dialog displays after the certificate warning. Enter your Entra ID login credentials. After a successful login, FortiClient connects to the VPN tunnel successfully.

    Previous
    Next

    SAML authentication for VPN before logon 7.2.5

    SAML authentication for VPN before logon 7.2.5

    With SAML authentication for IPsec and SSL VPN before logon, you can connect to VPN before signing in to Windows, improving ease of access.

    The following example uses FortiOS 7.2.8 with FortiClient and EMS 7.2.5.

    Use case: SAML authentication with FortiAuthenticator as IdP

    The following instructions that FortiAuthenticator has already been configured to support SAML login.

    To configure SAML authentication with FortiAuthenticator as IdP:
    1. Configure the VPN settings in FortiOS:
      config vpn ipsec phase1-interface
    edit "ikeV2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256 aes128-sha256
        set comments "VPN: ikeV2 (Created by VPN wizard)"
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set authusrgrp "saml-group"
        set ipv4-start-ip 10.20.30.1
        set ipv4-end-ip 10.20.30.250
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC y1+jieyn2rEnylBuykQQjPDIVG2dP9RraKl5lhOHrZZyn7rBh4lmUUQ+wYYQhdicxM/VnxCFqjQj5JvdYLeB4j/j+9CSGWlRxNZnpaaoUgjZhWxqVhU2pGxZfyBtOSwvtCq8bMcAKrtZbnbr+o/5WrbUZ51AXcJP9R5fW7qR4J3n7ZvRTBWEZ0EJmPoXiGd77iQqQQ==
    next 
end
config vpn ipsec phase2-interface
    edit "ikeV2"
        set phase1name "ikeV2"
        set proposal aes256-sha256 aes128-sha256
        set dhgrp 5
        set comments "VPN: ikeV2 (Created by VPN wizard)"
    next
end
config system global
    set auth-ike-saml-port 10428
end
config user saml
    edit "IPSec-FAC"
        set cert "Fortinet_Factory"
        set entity-id "https://fgt.example.com:10428/remote/saml/metadata/"
        set single-sign-on-url "https://fgt.example.com:10428/remote/saml/login/"
        set single-logout-url "https://fgt.example.com:10428/remote/saml/logout/"
        set idp-entity-id "http://fac.example.com/saml-idp/1111/metadata/"
        set idp-single-sign-on-url "https://fac.example.com/saml-idp/1111/login/"
        set idp-single-logout-url "https://fac.example.com/saml-idp/1111/logout/"
        set idp-cert "REMOTE_Cert_8"
        set user-name "username"
        set group-name "saml-group"
        set digest-method sha1
    next
end
    2. In EMS, configure the VPN settings:
      1. Go to Endpoint Profiles > Remote Access.
      2. Create a new profile or edit an existing one.
      3. Under General, enable Show VPN before Logon.
      4. Under VPN Tunnels, click Add Tunnel.
      5. Select Manual. Click Next.
      6. If available, under Type, select IPsec VPN.
      7. In Advanced Settings, toggle on Enable SAML Login.
      8. In the SAML Port field, enter 10428, the same port that you configured in FortiOS.

      9. Configure the tunnel to match the settings that you configured in FortiOS. Click Save.
    3. On the endpoint, if required, add the FortiAuthenticator FQDN as an entry in the hosts file if required.
    4. After the endpoint receives the profile updates from EMS, restart the endpoint.
    5. On the login page, under Sign-in options, select the VPN option.
    6. Enter the Windows login credentials.
    7. A SAML authentication dialog displays after the certificate warning. Enter your SAML login credentials. After a successful login, FortiClient connects to the IPsec VPN tunnel successfully.

    Use case: SAML authentication with Microsoft Entra ID as IdP

    In this example, the endpoint is already joined to a Microsoft Entra ID domain.

    To log in using SAML authentication with Microsoft Entra ID as IdP:
    1. After the endpoint receives the profile updates from EMS, restart the endpoint.
    2. On the login page, under Sign-in options, select the VPN option.
    3. A SAML authentication dialog displays after the certificate warning. Enter your Entra ID login credentials. After a successful login, FortiClient connects to the VPN tunnel successfully.

    Previous
    Next