Outbound firewall authentication with Azure AD as a SAML IdP

In this example, users are managed through Microsoft Azure Active Directory (AD). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Azure AD as a SAML identity provider (IdP).

The SAML interaction occurs as follows:

  1. The user initiates web traffic to the internet.
  2. The FortiGate redirects to the local captive portal, then redirects the user to the SAML IdP.
  3. The user connects to the Microsoft log in page for the SAML authentication request.
  4. The SAML IdP sends the SAML assertion containing the user and group.
  5. The browser forwards the SAML assertion to the SAML SP.
  6. If the user and group are allowed by the FortiGate, the user is allowed to access the internet.

In this example environment, a user is added in the Azure AD belonging to the security group called Firewall.

  • Username: John Locus
  • User login: jlocus@azure.kldocs.com
  • Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)

The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.

Configuring the Azure AD

The following Azure AD configuration demonstrates how to add the FortiGate as an enterprise non-gallery application. This application provides SAML SSO connectivity to the Azure AD IdP. Some steps are performed concurrently on the FortiGate.

Note

This example is configured with an Azure AD free-tier directory. There may be limitations to managing users in Azure in this tier that are not limited in other tiers. Consult the Microsoft Azure AD documentation for more information.

There are three steps to configure the Azure AD:

  1. Create a new enterprise application.
  2. Configure the SAML SSO settings on the application and FortiGate.
  3. Assign Azure AD users and groups to the application.
To create a new enterprise application:
  1. Log in to the Azure portal.
  2. In the Azure portal menu, click Azure Active Directory.
  3. In the left-side menu go Manage > Enterprise applications.
  4. Click New application.

  5. Click Create your own application.

  6. Enter a name for the application (SAML-FW-Auth) and select Integrate any other application you don't find in the gallery (Non-gallery).

  7. Click Create.
To configure the SAML SSO settings on the application and FortiGate:
Note

This procedure requires going back and forth between Azure and the FortiGate GUI. Leave the FortiGate GUI open for the entire procedure.

  1. On the Enterprise Application Overview page, go to Manage > Single sign-on and select SAML as the single sign-on method.

  2. Under the SAML Signing Certificate section, download the Base64 certificate.

  3. Import the certificate from Azure on the FortiGate as the IdP certificate:
    1. Go to System > Certificates and click Create/Import > Remote Certificate.
    2. Upload the certificate from Azure and click OK. The new certificate appears under the Remote Certificate section with the name REMOTE_Cert_(N).
    3. Optionally, rename the certificate in the CLI to give it a more recognizable name:
      config vpn certificate remote
          rename REMOTE_Cert_3 to AZURE_AD_SAML_FW
      end
  4. The Basic SAML Configuration section in Azure describes the SAML SP entity and links that Azure will reference. Configure these settings on the FortiGate by creating a new SAML server object and defining the SP address. The SP (IP or FQDN) address should be accessible by the user who is authenticating against the firewall. The port used should match the port used by the FortiGate firewall authentication captive portal. By default, this is port 1003 for HTTPS:
    1. Go to User & Authentication > Single Sign-On and click Create New.
    2. Enter a Name for the SAML object, Azure-AD-SAML.
    3. Enter the SP address, 10.1.0.1:1003. The three SP URLs are automatically populated.

  5. In Azure on the Set up Single Sign-On with SAML page, copy the following URLs from the FortiGate to the Basic SAML Configuration section:

    From FortiGate

    To Azure field

    SP entity ID (http://10.1.0.1:1003/remote/saml/metadata/)

    Identifier (Entity ID), set to Default

    SP single sign-on URL (https://10.1.0.1:1003/remote/saml/login//)

    Reply URL and Sign on URL

    SP single logout URL (https://10.1.0.1:1003/remote/saml/logout/)

    Logout URL

  6. Click Save.

  7. In the Set up <application name> section, copy the URLs from Azure to the FortiGate in the IdP Details section:

    1. On the FortiGate, click Next.
    2. For IdP type, select Custom and copy the following from Azure to the corresponding field:

      From Azure

      To FortiGate field

      Azure AD Identifier

      IdP entity ID

      Login URL

      IdP single sign-on URL

      Logout URL

      IdP single logout URL

    3. For IdP certificate, select the remote certificate imported earlier.
  8. In Azure, edit the User Attributes & Claims section. The attributes are returned in the SAML assertion, which the FortiGate uses to verify the user and group. Configuring group matching is optional.
    1. Click Add new claim, name it username, and set the Source attribute to user.displayname. The source attribute can be any of the related username fields. The value of the username returned to the FortiGate will be used in logs and monitors to identify the user.
    2. Click Save.
    3. Click Add a group claim and in the Group Claims pane, select All groups.
    4. In Advanced Options, select Customize the name of the group claim. Set the name to group.

    5. Click Save. The User Attributes & Claims section displays the update settings.

  9. On the FortiGate, update the Additional SAML Attributes section with the username and group created in Azure:
    1. For Attribute used to identify users, enter username.

    2. For Attribute used to identify groups, enter group.

    3. Click Submit.

To assign Azure AD users and groups to the application:
  1. In Azure, go to Manage > Users and groups and click Add user/group.
  2. Click Users to select the users or groups (John Locus is selected in this example).
  3. Click Assign to add the assignment.

Configuring the FortiGate

The user group, user authentication settings, and firewall policies must be configured on the FortiGate.

Configuring the user group

A user group named Azure-FW-Auth is created with the member Azure-AD-SAML.

Configuring group matching is optional, and the Object ID from Azure is needed for the config match settings. In the Azure default directory, go to Manage > Groups and locate the Object ID for the Firewall group.

To configure the user group:
config user group
    edit "Azure-FW-Auth"
        set member "Azure-AD-SAML"
        config match
            edit 1
                set server-name "Azure-AD-SAML"
                set group-name "62b699ce-4f80-48c0-846e-c1dfde2dc667"
            next
        end
    next
end

Configuring the user authentication setting

When a user initiates traffic, the FortiGate will redirect the user to the firewall authentication captive portal before redirecting them to the SAML IdP portal. After the SAML IdP responds with the SAML assertion, the user is again redirected to the firewall authentication captive portal. If the firewall portal’s certificate is not trusted by the user, they will receive a certificate warning. Use a custom certificate that the user trusts to avoid the certificate warning.

To configure a custom certificate:
  1. Go to User & Authentication > Authentication Settings.
  2. For Certificate, select the custom certificate. The custom certificate’s SAN field should have the FQDN or IP from the SP URL.

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the portal page. This will override any assigned server certificate. In this example, the built-in Fortinet_CA_SSL is used.

To assign a CA certificate:
  1. Edit the user setting:
    config user setting
        set auth-ca-cert "Fortinet_CA_SSL"
    end
  2. Go to System > Certificates and download the certificate.
  3. Install the certificate into the client’s certificate store.