Fortinet black logo

Administration Guide

SAML SP for VPN authentication

SAML SP for VPN authentication

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.

You can use SAML with FortiClient for SSL VPN tunnel authentication. The following licensed versions are required for this functionality:

  • FortiClient (Windows) 6.4.0
  • FortiClient (macOS) 6.4.1
  • FortiClient (Linux) 6.4.1

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure SSL VPN web portal authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-sslvpn"
            set entity-id "https://10.2.2.2:10443/remote/saml/metadata/"
            set single-sign-on-url "https://10.2.2.2:10443/remote/saml/login/"
            set single-logout-url "https://10.2.2.2:10443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/ssssss/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/ssssss/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/ssssss/logout/"
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
        next
    end
  2. Add the SAML user to the user group (group matching may also be configured):
    config user group
        edit "saml_sslvpn"
            set member "fac-sslvpn"
        next
    end
  3. Configure SSL VPN:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port3"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "saml_sslvpn"
                set portal "full-access"
            next
        end
    end
  4. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 8
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "local" "saml_sslvpn"
            set nat enable
        next
    end
  5. Configure the FortiAuthenticator IdP as needed.
To connect from the SSL VPN web portal:
  1. In a web browser, enter the portal address. The SAML login page appears:

  2. Enter the user name and password.
  3. Click Login, or if SSO has been configured, click Single-Sign-On.

    Once authenticated, the web portal opens.

To connect from SSL VPN tunnel mode with FortiClient:
  1. In FortiClient, click the Remote Access tab, and from the VPN Name dropdown, select the desired VPN tunnel.
  2. Click SAML Login.
  3. FortiClient displays an IdP authorization page in an embedded browser window. Enter the user name and password.
  4. Click Login.

    Once authenticated, FortiClient establishes the SSL VPN tunnel.

SAML SP for VPN authentication

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.

You can use SAML with FortiClient for SSL VPN tunnel authentication. The following licensed versions are required for this functionality:

  • FortiClient (Windows) 6.4.0
  • FortiClient (macOS) 6.4.1
  • FortiClient (Linux) 6.4.1

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure SSL VPN web portal authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-sslvpn"
            set entity-id "https://10.2.2.2:10443/remote/saml/metadata/"
            set single-sign-on-url "https://10.2.2.2:10443/remote/saml/login/"
            set single-logout-url "https://10.2.2.2:10443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/ssssss/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/ssssss/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/ssssss/logout/"
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
        next
    end
  2. Add the SAML user to the user group (group matching may also be configured):
    config user group
        edit "saml_sslvpn"
            set member "fac-sslvpn"
        next
    end
  3. Configure SSL VPN:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port3"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "saml_sslvpn"
                set portal "full-access"
            next
        end
    end
  4. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 8
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "local" "saml_sslvpn"
            set nat enable
        next
    end
  5. Configure the FortiAuthenticator IdP as needed.
To connect from the SSL VPN web portal:
  1. In a web browser, enter the portal address. The SAML login page appears:

  2. Enter the user name and password.
  3. Click Login, or if SSO has been configured, click Single-Sign-On.

    Once authenticated, the web portal opens.

To connect from SSL VPN tunnel mode with FortiClient:
  1. In FortiClient, click the Remote Access tab, and from the VPN Name dropdown, select the desired VPN tunnel.
  2. Click SAML Login.
  3. FortiClient displays an IdP authorization page in an embedded browser window. Enter the user name and password.
  4. Click Login.

    Once authenticated, FortiClient establishes the SSL VPN tunnel.