When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.
The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:
- Configure the FortiGate SP to be a SAML user:
config user saml edit "fac-sslvpn" set entity-id "https://10.2.2.2:10443/remote/saml/metadata/" set single-sign-on-url "https://10.2.2.2:10443/remote/saml/login/" set single-logout-url "https://10.2.2.2:10443/remote/saml/logout/" set idp-entity-id "http://172.18.58.93:443/saml-idp/ssssss/metadata/" set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/ssssss/login/" set idp-single-logout-url "https://172.18.58.93:443/saml-idp/ssssss/logout/" set idp-cert "REMOTE_Cert_3" set user-name "username" next end
- Add the SAML user to the user group (group matching may also be configured):
config user group edit "saml_sslvpn" set member "fac-sslvpn" next end
- Configure SSL VPN:
config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set source-interface "port3" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set groups "saml_sslvpn" set portal "full-access" next end end
- Add the SAML user group to a firewall policy:
config firewall policy edit 8 set srcintf "ssl.vdom1" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "local" "saml_sslvpn" set nat enable next end
- Configure the FortiAuthenticator IdP as needed.
- In a web browser, enter the portal address. The SAML login page appears:
- Enter the user name and password.
- Click Login, or if SSO has been configured, click Single-Sign-On.
Once authenticated, the web portal opens.