ZTNA access proxy with SAML and MFA using FortiAuthenticator example

ZTNA access proxy supports device verification using device certificates that are issued by EMS. To authenticate users, administrators can use either basic or SAML authentication. An advantage of SAML authentication is that multi-factor authentication (MFA) can be provided by the SAML Identity Provider (IdP).

In these examples, a FortiAuthenticator is used as the IdP, and MFA is applied to user authentication for remote users accessing the web, RDP, and SSH resources over the ZTNA access proxy. It is assumed that the FortiGate EMS fabric connector has already been successfully connected.

DNS resolutions:

  • ztna.fortidemo.fortinet.com:20443 -> 10.100.64.201:20443

  • entcore.fortidemo.fortinet.com:20443 -> 10.100.64.201:20443

  • fac.fortidemo.fortinet.com - > 10.100.64.103

The FortiAuthenticator (FAC) integrates with Active Directory (AD) on the Windows Domain Controller, which is also acting as the EMS server. Users are synchronized from the AD to the FAC, and remote users are configured with token-based authentication. SAML authentication is configured on the FortiGate, pointing to the FAC as the SAML IdP. The SAML server is applied to the ZTNA access proxy authentication scheme and rule, to provide the foundation for applying user authentication on individual ZTNA rules.

Configuring the FortiAuthenticator

First configure the FortiAuthenticator to synchronize users from AD using LDAP, apply MFA to individual remote users, and be the IdP.

To create a remote authentication server pointing to the Windows AD:
  1. Go to Authentication > Remote Auth. Servers > LDAP and click Create New.

  2. Configure the following:

    Name

    AD

    Primary server name / IP

    10.100.88.5

    Port

    389 (or another port if using LDAPS)

    Based distinguished name

    DC=FORTI-ARBUTUS,DC=LOCAL

    Bind type

    Regular

    Username

    <user account used for LDAP bind>

    Password

    <password of user>

    User object class

    person (default)

    Username attribute

    sAMAccountName (default)

    Group object class

    group (default)

    Obtain group membership from

    Group attribute

    Group membership attribute

    memberOf (default)

    Secure connection

    Enable if using LDAPS or STARTTLS

  3. Click OK.

  4. In the Remote LDAP Users section click Go.

  5. Select the users to import then click OK.

  6. Click OK.

    For more details, see LDAP in the FortiAuthenticator Administration Guide.

To configure a remote LDAP user to use MFA:
  1. Go to Authentication > User Management > Remote Users, and edit a user.

  2. Enable Token-based authentication then select the method of token code delivery.

    For this example, select FortiToken > Mobile, select the Token from the drop-down list, and set the Activation delivery method to email.

  3. In the User Information section, add the email address that will be used for the FortiToken activation.

  4. Click OK.

    An activation email is sent to the user that they can use to install the token to their FortiToken Mobile app.

    For more details, see Remote users in the FortiAuthenticator Administration Guide.

To configure SAML IdP:
  1. Go to Authentication > SAML IdP > General and enable Enable SAML Identity Provider portal.

  2. The Server address is the device FQDN or IP address (configured in the System Information widget at System > Dashboard > Status). In this example, it is fac.fortidemo.fortinet.com.

  3. Set Username input format to username@realm.

  4. Click Add a realm in the Realms table:

    1. Set Realm to the just created LDAP realm (AD).

    2. Optionally, enable Filter and select the required users groups. In this example, Customer Support and Marketing are configured.

  5. Set Default IdP certificate to the certificate that will be used in the HTTPS connection to the IdP portal.

  6. Click OK.

  7. Go to Authentication > SAML IdP > Service Providers, and click Create New to create a service provider (SP) for the FortiGate SP.

  8. Configure the following, which must match what will be configured on the FortiGate:

    SP na