SAML support for SSL VPN
FortiClient supports SAML authentication for SSL VPN. FortiClient can use a SAML identity provider (IdP) to authenticate an SSL VPN connection. You can configure a FortiGate as a service provider (SP) and a FortiAuthenticator or FortiGate as an IdP. The end user uses FortiClient with the SAML single sign on (SSO) option to establish an SSL VPN tunnel to the FortiGate.
This process is as follows:
- The EMS administrator or end user configures an SSL VPN connection with SAML SSO enabled.
- FortiClient connects to the FortiGate.
- The FortiGate returns a redirect link to the SAML IdP authorization page.
- FortiClient displays the IdP authorization page in an embedded browser window.
- The end user enters their credentials in the window to log in.
- Once the login attempt succeeds, FortiClient establishes a tunnel to the FortiGate.
This example configures a FortiGate as the SP and FortiAuthenticator as the IdP.
To configure the FortiGate as the SP:
- Configure the FortiGate SP to be a SAML user. You must configure the IdP remote certificate from FortiAuthenticator on the FortiGate:
config user saml
edit "saml-user"
set cert "Fortinet_Factory"
set entity-id "http://172.17.61.59:11443/remote/saml/metadata/"
set single-sign-on-url "https://172.17.61.59:11443/remote/saml/login/"
set single-logout-url "https://172.17.61.59:11443/remote/saml/logout/"
set idp-entity-id "http://172.17.61.118:443/saml-idp/101087/metadata/"
set idp-single-sign-on-url "https://172.17.61.118:443/saml-idp/101087/login/"
set idp-single-logout-url "https://172.17.61.118:443/saml-idp/101087/logout/"
set idp-cert "REMOTE_Cert_4"
next
end
- Add the SAML user to the user group:
config user group
edit "saml_grp"
set member "saml-user"
next
end
- Set the SAML group in SSL VPN settings:
config vpn ssl settings
config authentication-rule
edit 1
set groups "saml-group"
set portal "full-access"
next
next
end
To configure FortiAuthenticator as the IdP:
- In FortiAuthenticator, go to Authentication > SAML IdP > Service Providers.
- Click Create New.
- Configure as desired, then click OK.
- To add a local user, go to Authentication > User Management > Local User, then click Create New. Configure the local user as desired.
- To import RADIUS users, go to Authentication > User Management > Remote User > RADIUS Users. Import the desired RADIUS server.
- To import LDAP users, go to Authentication > User Management > Remote User > LDAP Users. Import the desired LDAP server.
To configure SAML SSO authentication for FortiClient:
- To configure SAML SSO authentication for a corporate VPN tunnel in EMS, go to Endpoint Profiles and select the desired profile. On the XML Configuration tab, configure
<sso_enabled>1</sso_enabled>
for the desired tunnel. EMS 6.4.0 does not support GUI implementation for this feature. - To configure SAML SSO authentication for a personal VPN tunnel in FortiClient, on the Remote Access tab, edit or create a new VPN tunnel. Select the Enable Single Sign On (SSO) for VPN Tunnel checkbox.
To connect to a VPN tunnel using SAML authentication:
- In FortiClient, on the Remote Access tab, from the VPN Name dropdown list, select the desired VPN tunnel.
- Click SAML Login.
- FortiClient displays an IdP authorization page in an embedded browser window. Enter your login credentials. Click Login. Once authenticated, FortiClient establishes the SSL VPN tunnel.
FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the IdP, discussed as follows:
If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.
The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.