Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Wireless Authentication using SAML Credentials 7.0.5

    Wireless Authentication using SAML Credentials 7.0.5

    When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. You can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.

    To configure SAML Authentication - GUI:
    1. Create a SAML server on a FortiGate:
      1. Go to User & Authentication > Single Sign-On and click Create new.

      2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.

      3. When you are finished, click Submit.
    2. Create a user group with members as the SAML server you created:
      1. Go to User & Authentication > User Groups and click Create New.
      2. Enter a Name for the group (saml_grp).
      3. In the Remote Groups table, click Add.

      4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.

    3. Select the user group in a Captive portal VAP:
      1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
      2. Enter an SSID name (_CAP_SAML).
      3. Ensure thatTraffic mode is set toTunnel.
      4. Under Security Mode Settings, set the Security mode to Captive Portal.

      5. In User groups, select the group you created (saml_grp).

      6. Configure other settings as needed.
      7. When you are finished, click OK.
    4. Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following:

        Incoming Interface

        Select the captive portal VAP (_CAL_SAML).

        Source

        all

        Destination

        Select the saml server.

        Action

        ACCEPT

      3. Configure other settings as needed.
      4. When you are finished, click OK.

      5. You can only configure captive-portal-exempt from the CLI:

         config firewall policy
  edit 8
    set captive-portal-exempt enable
  end
    5. Create a policy to let wireless clients access the outbound after passing authentication:
      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following:

        Incoming Interface

        Select the captive portal VAP (_CAL_SAML).

        Source

        all

        Select the SAML user group (saml_grp)

        Destination

        all

        Action

        ACCEPT

      3. Configure other settings as needed.
      4. When you are finished, click OK.

    When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

    To configure SAML Authentication - CLI:

    1. Create a SAML server on a FortiGate:

       config user saml
  edit "saml-fac"
    set entity-id "http://10.40.80.1:1000/saml/metadata/"
    set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
    set single-logout-url "https://10.40.80.1:1003/saml/logout/"
    set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
    set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
    set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
    set idp-cert "REMOTE_Cert_2"
    set user-name "username"
    set group-name "group"
    set digest-method sha1
  next
end

    2. Create a user group with members as the SAML server you created:

      config user group
  edit "saml_grp"
    set member "saml-fac"
  next
end

    3. Select the user group in a Captive portal VAP:

      config wireless-controller vap
  edit "wifi4"
    set ssid "_CAP_SAML"
    set security captive-portal
    set selected-usergroups "saml_grp"
    set security-exempt-list "wifi4-exempt-list"
    set security-redirect-url "http://www.example.com"
    set schedule "always"
  next
end

    4. Create 2 policies from VAP to outbound:

      • One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
      • One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

      The firewall policy ID is 8, the name is "exempt"

      config firewall policy
  edit 8
    set name "exempt"
    set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "saml"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set comments "Exempt policy"
    set captive-portal-exempt enable
  next
  edit 6
    set name "cap2"
    set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set groups "saml_grp"
  next
end

    When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

    Previous
    Next

    Wireless Authentication using SAML Credentials 7.0.5

    Wireless Authentication using SAML Credentials 7.0.5

    When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. You can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.

    To configure SAML Authentication - GUI:
    1. Create a SAML server on a FortiGate:
      1. Go to User & Authentication > Single Sign-On and click Create new.

      2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.

      3. When you are finished, click Submit.
    2. Create a user group with members as the SAML server you created:
      1. Go to User & Authentication > User Groups and click Create New.
      2. Enter a Name for the group (saml_grp).
      3. In the Remote Groups table, click Add.

      4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.

    3. Select the user group in a Captive portal VAP:
      1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
      2. Enter an SSID name (_CAP_SAML).
      3. Ensure thatTraffic mode is set toTunnel.
      4. Under Security Mode Settings, set the Security mode to Captive Portal.

      5. In User groups, select the group you created (saml_grp).

      6. Configure other settings as needed.
      7. When you are finished, click OK.
    4. Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following:

        Incoming Interface

        Select the captive portal VAP (_CAL_SAML).

        Source

        all

        Destination

        Select the saml server.

        Action

        ACCEPT

      3. Configure other settings as needed.
      4. When you are finished, click OK.

      5. You can only configure captive-portal-exempt from the CLI:

         config firewall policy
  edit 8
    set captive-portal-exempt enable
  end
    5. Create a policy to let wireless clients access the outbound after passing authentication:
      1. Go to Policy & Objects > Firewall Policy and click Create New.

      2. Configure the following:

        Incoming Interface

        Select the captive portal VAP (_CAL_SAML).

        Source

        all

        Select the SAML user group (saml_grp)

        Destination

        all

        Action

        ACCEPT

      3. Configure other settings as needed.
      4. When you are finished, click OK.

    When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

    To configure SAML Authentication - CLI:

    1. Create a SAML server on a FortiGate:

       config user saml
  edit "saml-fac"
    set entity-id "http://10.40.80.1:1000/saml/metadata/"
    set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
    set single-logout-url "https://10.40.80.1:1003/saml/logout/"
    set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
    set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
    set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
    set idp-cert "REMOTE_Cert_2"
    set user-name "username"
    set group-name "group"
    set digest-method sha1
  next
end

    2. Create a user group with members as the SAML server you created:

      config user group
  edit "saml_grp"
    set member "saml-fac"
  next
end

    3. Select the user group in a Captive portal VAP:

      config wireless-controller vap
  edit "wifi4"
    set ssid "_CAP_SAML"
    set security captive-portal
    set selected-usergroups "saml_grp"
    set security-exempt-list "wifi4-exempt-list"
    set security-redirect-url "http://www.example.com"
    set schedule "always"
  next
end

    4. Create 2 policies from VAP to outbound:

      • One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
      • One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

      The firewall policy ID is 8, the name is "exempt"

      config firewall policy
  edit 8
    set name "exempt"
    set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "saml"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set comments "Exempt policy"
    set captive-portal-exempt enable
  next
  edit 6
    set name "cap2"
    set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
    set srcintf "wifi4"
    set dstintf "wan1"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set groups "saml_grp"
  next
end

    When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

    Previous
    Next