SAML authentication in a proxy policy

SAML user authentication can be used in explicit web proxies and transparent web proxies with the FortiGate acting as a SAML SP. SAML can be used as an authentication method for an authentication scheme that requires using a captive portal.

Topology

In this configuration, SAML authentication is used with an explicit web proxy. The IdP is a Windows 2016 server configured with ADFS. The LDAP and IdP servers are on the same server. The LDAP server is used as the user backend for the IdP to perform authentication; however, they are not required to be on the same server.

The authentication and authorization flow is as follows:

  1. The client opens a browser and visits https://www.google.com.
  2. The browser is redirected by the web proxy the captive portal.
  3. The request is redirected to the IdP's sign-in page.
  4. If the user signs in, the IdP authenticates the user and sends back a SAML assertion message to the FortiGate with the user group information.
  5. If the FortiGate authentication scheme has a user database configured, the FortiGate will query the LDAP server for the user group information and ignore the user group information from the SAML message.
  6. The user group information is returned. The FortiGate matches the user group information against the LDAP group in the proxy policy group settings. If there is a match, the request is authorized and the proxy policy is matched.
  7. If all policy criteria match successfully, then the webpage is returned to the client.
To configure SAML authentication with an explicit web proxy:
  1. Enable the web proxy:
    config web-proxy explicit
        set status enable
        set http-incoming-port 8080
    end
  2. Enable the proxy captive portal:
    config system interface
        edit "port10"