Fortinet black logo

Administration Guide

SAML SP for VPN authentication

SAML SP for VPN authentication

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure SSL VPN web portal authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-sslvpn"
            set entity-id "https://10.2.2.2:10443/remote/saml/metadata/"
            set single-sign-on-url "https://10.2.2.2:10443/remote/saml/login/"
            set single-logout-url "https://10.2.2.2:10443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/ssssss/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/ssssss/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/ssssss/logout/"
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
        next
    end
  2. Add the SAML user to the user group (group matching may also be configured):
    config user group
        edit "saml_sslvpn"
            set member "fac-sslvpn"
        next
    end
  3. Configure SSL VPN:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port3"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "saml_sslvpn"
                set portal "full-access"
            next
        end
    end
  4. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 8
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "local" "saml_sslvpn"
            set nat enable
        next
    end
  5. Configure the FortiAuthenticator IdP as needed.
To connect from the SSL VPN web portal:
  1. In a web browser, enter the portal address. The SAML login page appears:

  2. Enter the user name and password.
  3. Click Login, or if SSO has been configured, click Single-Sign-On.

    Once authenticated, the web portal opens.

SAML SP for VPN authentication

When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for SSL VPN web portal authentication.

The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:

To configure SSL VPN web portal authentication:
  1. Configure the FortiGate SP to be a SAML user:
    config user saml
        edit "fac-sslvpn"
            set entity-id "https://10.2.2.2:10443/remote/saml/metadata/"
            set single-sign-on-url "https://10.2.2.2:10443/remote/saml/login/"
            set single-logout-url "https://10.2.2.2:10443/remote/saml/logout/"
            set idp-entity-id "http://172.18.58.93:443/saml-idp/ssssss/metadata/"
            set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/ssssss/login/"
            set idp-single-logout-url "https://172.18.58.93:443/saml-idp/ssssss/logout/"
            set idp-cert "REMOTE_Cert_3"
            set user-name "username"
        next
    end
  2. Add the SAML user to the user group (group matching may also be configured):
    config user group
        edit "saml_sslvpn"
            set member "fac-sslvpn"
        next
    end
  3. Configure SSL VPN:
    config vpn ssl settings
        set servercert "Fortinet_Factory"
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set source-interface "port3"
        set source-address "all"
        set source-address6 "all"
        set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "saml_sslvpn"
                set portal "full-access"
            next
        end
    end
  4. Add the SAML user group to a firewall policy:
    config firewall policy
        edit 8
            set srcintf "ssl.vdom1"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set groups "local" "saml_sslvpn"
            set nat enable
        next
    end
  5. Configure the FortiAuthenticator IdP as needed.
To connect from the SSL VPN web portal:
  1. In a web browser, enter the portal address. The SAML login page appears:

  2. Enter the user name and password.
  3. Click Login, or if SSO has been configured, click Single-Sign-On.

    Once authenticated, the web portal opens.