Fortinet black logo

Administration Guide

Using a browser as an external user-agent for SAML authentication in an SSL VPN connection

Using a browser as an external user-agent for SAML authentication in an SSL VPN connection

FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded log in window. If a user has already done SAML authentication in the default browser, they do not need to authenticate again in the FortiClient built-in browser. FortiClient 7.0.1 and later is required.

The following CLI is used to set the SAML local redirect port on the FortiClient endpoint after successful SAML authentication:

config vpn ssl settings
    set saml-redirect-port <port>
end

Example

In this example, a user wants to use their default browser to connect to IdP for SAML authentication, without needing to separately authenticate in the FortiClient built-in browser. After authenticating in the browser, FortiClient obtains the authentication cookie directly from the browser.

The authentication process proceeds as follows:

  1. The remote client uses FortiClient to connect to the FortiGate SSL VPN on 172.16.58.92:1443 with the Use external browser as user-agent for saml user authentication option enabled.

  2. The SSL VPN redirects FortiClient to complete SAML authentication using the Identity Provider (IdP).

  3. FortiClient opens the default browser to authenticate the IdP server.

  4. After a successful authentication, the browser redirects to localhost:<port>, where the port is defined by the saml-redirect-port variable on the FortiGate.

  5. FortiClient reads the authentication ID passed by the successful authentication, then requests that the SAML authentication process continues on the FortiGate with this ID.

  6. The FortiGate continues with the remaining SSL-VPN host-check and other steps until it receives the authentication cookie. It then allow the SSL VPN user to connect using tunnel mode.

To configure the VPN:
  1. Configure a SAML user:

    config user saml
        edit "su1"
            set cert "fgt_gui_automation"
            set entity-id "http://172.18.58.92:1443/remote/saml/metadata/"
            set single-sign-on-url "https://172.18.58.92:1443/remote/saml/login/"
            set single-logout-url "https://172.18.58.92:1443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/222222/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/222222/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/222222/logout/"
            set idp-cert "REMOTE_Cert_1"
            set user-name "Username"
            set group-name "Groupname"
            set digest-method sha1
        next
    end
  2. Add the SAML user to a user group:

    config user group
        edit "saml_grp"
            set member "su1"
        next
    end
  3. Create an SSL VPN web portal:

    config vpn ssl web portal
        edit "testportal1"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set web-mode enable
            ...
        next
    end
  4. Configure the SSL VPN:

    config vpn ssl settings
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        ...
    end
  5. Configure a firewall policy for the SSL VPN and assign the SAML group and a local user to it:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"                    
            set srcintf "ssl.root"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set groups "saml_grp"
            set users "u1"
        next
    end
  6. Enable the SAML redirect port:

    config vpn ssl settings
        set saml-redirect-port 8020
    end
To connect to the VPN using FortiClient:
  1. Configure the SSL VPN connection:

    1. Open FortiClient and go to the Remote Access tab and click Configure VPN.

    2. Enter a name for the connection.

    3. Set the Remote Gateway to the FortiGate port 172.18.58.92.

    4. Enable Customize port and set the port to 1443.

    5. Enable Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user authentication.

    6. Click Save.

  2. On the Remote Access tab select the FGT401E_SSO VPN connection from the dropdown list.

  3. Click SAML Login.

    The default browser opens to the IdP authentication page.

  4. Enter the username and password, then click Login.

    The authenticated result is sent back to FortiClient and the connection is established.

To check the connection on the FortiGate:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       fac3    saml_grp       256(1)           N/A     10.1.100.254   0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       fac3    saml_grp       10.1.100.254     5       9990/8449      10.212.134.200,fdff:ffff::1
# diagnose firewall auth list

10.212.134.200, fac3
        type: fw, id: 0, duration: 6, idled: 0
        expire: 259199, allow-idle: 259200
        flag(80): sslvpn
        server: su1
        packets: in 28 out 28, bytes: in 23042 out 8561
        group_id: 5
        group_name: saml_grp

Using a browser as an external user-agent for SAML authentication in an SSL VPN connection

FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded log in window. If a user has already done SAML authentication in the default browser, they do not need to authenticate again in the FortiClient built-in browser. FortiClient 7.0.1 and later is required.

The following CLI is used to set the SAML local redirect port on the FortiClient endpoint after successful SAML authentication:

config vpn ssl settings
    set saml-redirect-port <port>
end

Example

In this example, a user wants to use their default browser to connect to IdP for SAML authentication, without needing to separately authenticate in the FortiClient built-in browser. After authenticating in the browser, FortiClient obtains the authentication cookie directly from the browser.

The authentication process proceeds as follows:

  1. The remote client uses FortiClient to connect to the FortiGate SSL VPN on 172.16.58.92:1443 with the Use external browser as user-agent for saml user authentication option enabled.

  2. The SSL VPN redirects FortiClient to complete SAML authentication using the Identity Provider (IdP).

  3. FortiClient opens the default browser to authenticate the IdP server.

  4. After a successful authentication, the browser redirects to localhost:<port>, where the port is defined by the saml-redirect-port variable on the FortiGate.

  5. FortiClient reads the authentication ID passed by the successful authentication, then requests that the SAML authentication process continues on the FortiGate with this ID.

  6. The FortiGate continues with the remaining SSL-VPN host-check and other steps until it receives the authentication cookie. It then allow the SSL VPN user to connect using tunnel mode.

To configure the VPN:
  1. Configure a SAML user:

    config user saml
        edit "su1"
            set cert "fgt_gui_automation"
            set entity-id "http://172.18.58.92:1443/remote/saml/metadata/"
            set single-sign-on-url "https://172.18.58.92:1443/remote/saml/login/"
            set single-logout-url "https://172.18.58.92:1443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/222222/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/222222/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/222222/logout/"
            set idp-cert "REMOTE_Cert_1"
            set user-name "Username"
            set group-name "Groupname"
            set digest-method sha1
        next
    end
  2. Add the SAML user to a user group:

    config user group
        edit "saml_grp"
            set member "su1"
        next
    end
  3. Create an SSL VPN web portal:

    config vpn ssl web portal
        edit "testportal1"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set web-mode enable
            ...
        next
    end
  4. Configure the SSL VPN:

    config vpn ssl settings
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        ...
    end
  5. Configure a firewall policy for the SSL VPN and assign the SAML group and a local user to it:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"                    
            set srcintf "ssl.root"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set nat enable
            set groups "saml_grp"
            set users "u1"
        next
    end
  6. Enable the SAML redirect port:

    config vpn ssl settings
        set saml-redirect-port 8020
    end
To connect to the VPN using FortiClient:
  1. Configure the SSL VPN connection:

    1. Open FortiClient and go to the Remote Access tab and click Configure VPN.

    2. Enter a name for the connection.

    3. Set the Remote Gateway to the FortiGate port 172.18.58.92.

    4. Enable Customize port and set the port to 1443.

    5. Enable Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user authentication.

    6. Click Save.

  2. On the Remote Access tab select the FGT401E_SSO VPN connection from the dropdown list.

  3. Click SAML Login.

    The default browser opens to the IdP authentication page.

  4. Enter the username and password, then click Login.

    The authenticated result is sent back to FortiClient and the connection is established.

To check the connection on the FortiGate:
# get vpn ssl monitor
SSL-VPN Login Users:
 Index   User    Group   Auth Type      Timeout         Auth-Timeout    From     HTTP in/out    HTTPS in/out    Two-factor Auth
 1       fac3    saml_grp       256(1)           N/A     10.1.100.254   0/0     0/0     0

SSL-VPN sessions:
 Index   User    Group   Source IP      Duration        I/O Bytes       Tunnel/Dest IP
 0       fac3    saml_grp       10.1.100.254     5       9990/8449      10.212.134.200,fdff:ffff::1
# diagnose firewall auth list

10.212.134.200, fac3
        type: fw, id: 0, duration: 6, idled: 0
        expire: 259199, allow-idle: 259200
        flag(80): sslvpn
        server: su1
        packets: in 28 out 28, bytes: in 23042 out 8561
        group_id: 5
        group_name: saml_grp