Fortinet black logo

New Features

Wireless Authentication using SAML Credentials 7.0.5

Wireless Authentication using SAML Credentials 7.0.5

When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. You can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.

To configure SAML Authentication - GUI:
  1. Create a SAML server on a FortiGate:
    1. Go to User & Authentication > Single Sign-On and click Create new.
    2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.

    3. When you are finished, click Submit.
  2. Create a user group with members as the SAML server you created:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter a Name for the group (saml_grp).
    3. In the Remote Groups table, click Add.
    4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.

  3. Select the user group in a Captive portal VAP:
    1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
    2. Enter an SSID name (_CAP_SAML).
    3. Ensure thatTraffic mode is set toTunnel.
    4. Under Security Mode Settings, set the Security mode to Captive Portal.
    5. In User groups, select the group you created (saml_grp).

    6. Configure other settings as needed.
    7. When you are finished, click OK.
  4. Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Configure the following:

      Incoming Interface

      Select the captive portal VAP (_CAL_SAML).

      Source

      all

      Destination

      Select the saml server.

      Action

      ACCEPT

    3. Configure other settings as needed.
    4. When you are finished, click OK.
    5. You can only configure captive-portal-exempt from the CLI:

       config firewall policy
        edit 8
          set captive-portal-exempt enable
        end
      
  5. Create a policy to let wireless clients access the outbound after passing authentication:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Configure the following:

      Incoming Interface

      Select the captive portal VAP (_CAL_SAML).

      Source

      all

      Select the SAML user group (saml_grp)

      Destination

      all

      Action

      ACCEPT

    3. Configure other settings as needed.
    4. When you are finished, click OK.

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

To configure SAML Authentication - CLI:
  1. Create a SAML server on a FortiGate:

     config user saml
      edit "saml-fac"
        set entity-id "http://10.40.80.1:1000/saml/metadata/"
        set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
        set single-logout-url "https://10.40.80.1:1003/saml/logout/"
        set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
        set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
        set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
        set idp-cert "REMOTE_Cert_2"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
      next
    end
  2. Create a user group with members as the SAML server you created:

    config user group
      edit "saml_grp"
        set member "saml-fac"
      next
    end
  3. Select the user group in a Captive portal VAP:

    config wireless-controller vap
      edit "wifi4"
        set ssid "_CAP_SAML"
        set security captive-portal
        set selected-usergroups "saml_grp"
        set security-exempt-list "wifi4-exempt-list"
        set security-redirect-url "http://www.example.com"
        set schedule "always"
      next
    end
  4. Create 2 policies from VAP to outbound:

    • One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
    • One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

    The firewall policy ID is 8, the name is "exempt"

    config firewall policy
      edit 8
        set name "exempt"
        set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
        set srcintf "wifi4"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "saml"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set comments "Exempt policy"
        set captive-portal-exempt enable
      next
      edit 6
        set name "cap2"
        set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
        set srcintf "wifi4"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "saml_grp"
      next
    end

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

Wireless Authentication using SAML Credentials 7.0.5

Wireless Authentication using SAML Credentials 7.0.5

When a SAML user has been configured on the FortiGate, a user group containing this SAML user can be applied to a captive portal in a wireless tunnel mode SSID. You can configure both a captive portal exempt firewall policy to allow wireless clients to contact the SAML IDP and a firewall policy with the SAML user group applied to allow authenticated traffic. When wireless clients connect to the SSID, they will be redirected to a login page for wireless authentication using SAML.

To configure SAML Authentication - GUI:
  1. Create a SAML server on a FortiGate:
    1. Go to User & Authentication > Single Sign-On and click Create new.
    2. Enter a Name for the SAML server (saml-fac) and configure the Service Provider and Identity Provider information.

    3. When you are finished, click Submit.
  2. Create a user group with members as the SAML server you created:
    1. Go to User & Authentication > User Groups and click Create New.
    2. Enter a Name for the group (saml_grp).
    3. In the Remote Groups table, click Add.
    4. In the Remove Server dropdown, select the SAML server you created (saml-fac) and click OK.

  3. Select the user group in a Captive portal VAP:
    1. Go to WiFi & Switch Controller > SSIDs and click Create New > SSID.
    2. Enter an SSID name (_CAP_SAML).
    3. Ensure thatTraffic mode is set toTunnel.
    4. Under Security Mode Settings, set the Security mode to Captive Portal.
    5. In User groups, select the group you created (saml_grp).

    6. Configure other settings as needed.
    7. When you are finished, click OK.
  4. Create a firewall policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Configure the following:

      Incoming Interface

      Select the captive portal VAP (_CAL_SAML).

      Source

      all

      Destination

      Select the saml server.

      Action

      ACCEPT

    3. Configure other settings as needed.
    4. When you are finished, click OK.
    5. You can only configure captive-portal-exempt from the CLI:

       config firewall policy
        edit 8
          set captive-portal-exempt enable
        end
      
  5. Create a policy to let wireless clients access the outbound after passing authentication:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Configure the following:

      Incoming Interface

      Select the captive portal VAP (_CAL_SAML).

      Source

      all

      Select the SAML user group (saml_grp)

      Destination

      all

      Action

      ACCEPT

    3. Configure other settings as needed.
    4. When you are finished, click OK.

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.

To configure SAML Authentication - CLI:
  1. Create a SAML server on a FortiGate:

     config user saml
      edit "saml-fac"
        set entity-id "http://10.40.80.1:1000/saml/metadata/"
        set single-sign-on-url "https://10.40.80.1:1003/saml/login/"
        set single-logout-url "https://10.40.80.1:1003/saml/logout/"
        set idp-entity-id "http://172.18.58.93:443/saml-idp/wifiqa1234/metadata/"
        set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/wifiqa1234/login/"
        set idp-single-logout-url "https://172.18.58.93:443/saml-idp/wifiqa1234/logout/"
        set idp-cert "REMOTE_Cert_2"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
      next
    end
  2. Create a user group with members as the SAML server you created:

    config user group
      edit "saml_grp"
        set member "saml-fac"
      next
    end
  3. Select the user group in a Captive portal VAP:

    config wireless-controller vap
      edit "wifi4"
        set ssid "_CAP_SAML"
        set security captive-portal
        set selected-usergroups "saml_grp"
        set security-exempt-list "wifi4-exempt-list"
        set security-redirect-url "http://www.example.com"
        set schedule "always"
      next
    end
  4. Create 2 policies from VAP to outbound:

    • One policy with captive-portal-exempt enabled to ensure wireless clients can access the SAML server without authentication (firewall policy ID 8, name "exempt").
    • One policy is a regular policy that lets wireless clients access the outbound after passing authentication (firewall policy ID 6, name "cap2").

    The firewall policy ID is 8, the name is "exempt"

    config firewall policy
      edit 8
        set name "exempt"
        set uuid d8f2b572-b2fa-51ec-d3ad-3110a44be109
        set srcintf "wifi4"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "saml"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set comments "Exempt policy"
        set captive-portal-exempt enable
      next
      edit 6
        set name "cap2"
        set uuid 3a4f1518-7b57-55dc-f5kf-21748a5ch415
        set srcintf "wifi4"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "saml_grp"
      next
    end

When a wireless client connects to the SSID, it is redirected to the SAML login portal page. After the client submits the correct credentials, it can access the internet.