SAML SP for VPN authentication

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure SSL VPN web portal authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-sslvpn"
            set entity-id ""
            set single-sign-on-url ""
            set single-logout-url ""
            set idp-entity-id ""
            set idp-single-sign-on-url ""
            set idp-single-logout-url ""
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
  2. Add the SAML user to the user group (group matching may also be configured):
    config user group
        edit "saml_sslvpn"
            set member "fac-sslvpn"
  3. Configure SSL VPN:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port3"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "saml_sslvpn"
                set portal "full-access"
  4. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 8
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "local" "saml_sslvpn"
            set nat enable
  5. Configure the FortiAuthenticator IdP as needed.
To connect from the SSL VPN web portal:
  1. In a web browser, enter the portal address. The SAML login page appears: