Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Use a browser as an external user-agent for SAML authentication in an SSL VPN connection 7.0.1

    Use a browser as an external user-agent for SAML authentication in an SSL VPN connection 7.0.1

    FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded log in window. If a user has already done SAML authentication in the default browser, they do not need to authenticate again in the FortiClient built-in browser. FortiClient 7.0.1 is required.

    The following CLI is used to set the SAML local redirect port on the FortiClient endpoint after successful SAML authentication:

    config vpn ssl settings
    set saml-redirect-port <port>
end

    Example

    In this example, a user wants to use their default browser to connect to IdP for SAML authentication, without needing to separately authenticate in the FortiClient built-in browser. After authenticating in the browser, FortiClient obtains the authentication cookie directly from the browser.

    The authentication process proceeds as follows:

    1. The remote client uses FortiClient to connect to the FortiGate SSL VPN on 172.16.58.92:1443 with the Use external browser as user-agent for saml user authentication option enabled.

    2. The SSL VPN redirects FortiClient to complete SAML authentication using the Identity Provider (IdP).

    3. FortiClient opens the default browser to authenticate the IdP server.

    4. After a successful authentication, the browser redirects to localhost:<port>, where the port is defined by the saml-redirect-port variable on the FortiGate.

    5. FortiClient reads the authentication ID passed by the successful authentication, then requests that the SAML authentication process continues on the FortiGate with this ID.

    6. The FortiGate continues with the remaining SSL-VPN host-check and other steps until it receives the authentication cookie. It then allow the SSL VPN user to connect using tunnel mode.

    To configure the VPN:

    1. Configure a SAML user:

      config user saml
    edit "su1"
        set cert "fgt_gui_automation"
        set entity-id "http://172.18.58.92:1443/remote/saml/metadata/"
        set single-sign-on-url "https://172.18.58.92:1443/remote/saml/login/"
        set single-logout-url "https://172.18.58.92:1443/remote/saml/logout/"
        set idp-entity-id "http://172.18.58.93:443/saml-idp/222222/metadata/"
        set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/222222/login/"
        set idp-single-logout-url "https://172.18.58.93:443/saml-idp/222222/logout/"
        set idp-cert "REMOTE_Cert_1"
        set user-name "Username"
        set group-name "Groupname"
        set digest-method sha1
    next
end

    2. Add the SAML user to a user group:

      config user group
    edit "saml_grp"
        set member "su1"
    next
end

    3. Create an SSL VPN web portal:

      config vpn ssl web portal
    edit "testportal1"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        ...
    next
end

    4. Configure the SSL VPN:

      config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "testportal1"
    ...
end

    5. Configure a firewall policy for the SSL VPN and assign the SAML group and a local user to it:

      config firewall policy
    edit 1
        set name "policy_to_sslvpn_tunnel"                    
        set srcintf "ssl.root"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "saml_grp"
        set users "u1"
    next
end

    6. Enable the SAML redirect port:

      config vpn ssl settings
    set saml-redirect-port 8020
end
    To connect to the VPN using FortiClient:

    1. Configure the SSL VPN connection:

      1. Open FortiClient and go to the Remote Access tab and click Configure VPN.

      2. Enter a name for the connection.

      3. Set the Remote Gateway to the FortiGate port 172.18.58.92.

      4. Enable Customize port and set the port to 1443.

      5. Enable Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user authentication.

      6. Click Save.

    2. On the Remote Access tab select the FGT401E_SSO VPN connection from the dropdown list.

    3. Click SAML Login.

      The default browser opens to the IdP authentication page.

    4. Enter the username and password, then click Login.

      The authenticated result is sent back to FortiClient and the connection is established.

    To check the connection on the FortiGate:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       fac3    saml_grp       256(1)           N/A     10.1.100.254   0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       fac3    saml_grp       10.1.100.254     5       9990/8449      10.212.134.200,fdff:ffff::1
    # diagnose firewall auth list

10.212.134.200, fac3
        type: fw, id: 0, duration: 6, idled: 0
        expire: 259199, allow-idle: 259200
        flag(80): sslvpn
        server: su1
        packets: in 28 out 28, bytes: in 23042 out 8561
        group_id: 5
        group_name: saml_grp
    Previous
    Next

    Use a browser as an external user-agent for SAML authentication in an SSL VPN connection 7.0.1

    Use a browser as an external user-agent for SAML authentication in an SSL VPN connection 7.0.1

    FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded log in window. If a user has already done SAML authentication in the default browser, they do not need to authenticate again in the FortiClient built-in browser. FortiClient 7.0.1 is required.

    The following CLI is used to set the SAML local redirect port on the FortiClient endpoint after successful SAML authentication:

    config vpn ssl settings
    set saml-redirect-port <port>
end

    Example

    In this example, a user wants to use their default browser to connect to IdP for SAML authentication, without needing to separately authenticate in the FortiClient built-in browser. After authenticating in the browser, FortiClient obtains the authentication cookie directly from the browser.

    The authentication process proceeds as follows:

    1. The remote client uses FortiClient to connect to the FortiGate SSL VPN on 172.16.58.92:1443 with the Use external browser as user-agent for saml user authentication option enabled.

    2. The SSL VPN redirects FortiClient to complete SAML authentication using the Identity Provider (IdP).

    3. FortiClient opens the default browser to authenticate the IdP server.

    4. After a successful authentication, the browser redirects to localhost:<port>, where the port is defined by the saml-redirect-port variable on the FortiGate.

    5. FortiClient reads the authentication ID passed by the successful authentication, then requests that the SAML authentication process continues on the FortiGate with this ID.

    6. The FortiGate continues with the remaining SSL-VPN host-check and other steps until it receives the authentication cookie. It then allow the SSL VPN user to connect using tunnel mode.

    To configure the VPN:

    1. Configure a SAML user:

      config user saml
    edit "su1"
        set cert "fgt_gui_automation"
        set entity-id "http://172.18.58.92:1443/remote/saml/metadata/"
        set single-sign-on-url "https://172.18.58.92:1443/remote/saml/login/"
        set single-logout-url "https://172.18.58.92:1443/remote/saml/logout/"
        set idp-entity-id "http://172.18.58.93:443/saml-idp/222222/metadata/"
        set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/222222/login/"
        set idp-single-logout-url "https://172.18.58.93:443/saml-idp/222222/logout/"
        set idp-cert "REMOTE_Cert_1"
        set user-name "Username"
        set group-name "Groupname"
        set digest-method sha1
    next
end

    2. Add the SAML user to a user group:

      config user group
    edit "saml_grp"
        set member "su1"
    next
end

    3. Create an SSL VPN web portal:

      config vpn ssl web portal
    edit "testportal1"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        ...
    next
end

    4. Configure the SSL VPN:

      config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 1443
    set source-interface "port2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "testportal1"
    ...
end

    5. Configure a firewall policy for the SSL VPN and assign the SAML group and a local user to it:

      config firewall policy
    edit 1
        set name "policy_to_sslvpn_tunnel"                    
        set srcintf "ssl.root"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "saml_grp"
        set users "u1"
    next
end

    6. Enable the SAML redirect port:

      config vpn ssl settings
    set saml-redirect-port 8020
end
    To connect to the VPN using FortiClient:

    1. Configure the SSL VPN connection:

      1. Open FortiClient and go to the Remote Access tab and click Configure VPN.

      2. Enter a name for the connection.

      3. Set the Remote Gateway to the FortiGate port 172.18.58.92.

      4. Enable Customize port and set the port to 1443.

      5. Enable Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user authentication.

      6. Click Save.

    2. On the Remote Access tab select the FGT401E_SSO VPN connection from the dropdown list.

    3. Click SAML Login.

      The default browser opens to the IdP authentication page.

    4. Enter the username and password, then click Login.

      The authenticated result is sent back to FortiClient and the connection is established.

    To check the connection on the FortiGate:
    # get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       fac3    saml_grp       256(1)           N/A     10.1.100.254   0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       fac3    saml_grp       10.1.100.254     5       9990/8449      10.212.134.200,fdff:ffff::1
    # diagnose firewall auth list

10.212.134.200, fac3
        type: fw, id: 0, duration: 6, idled: 0
        expire: 259199, allow-idle: 259200
        flag(80): sslvpn
        server: su1
        packets: in 28 out 28, bytes: in 23042 out 8561
        group_id: 5
        group_name: saml_grp
    Previous
    Next