SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

This information is also available in the FortiOS 7.2 Administration Guide:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients is now supported. This feature requires FortiClient 7.2.4 and FortiClient supports only using IKEv2. Two factor authentication using FortiToken push is also supported.

The FortiGate authd daemon has been enhanced to support SAML authentication and accepts local-in traffic from the FortiClient by the TCP port number configured in the auth-ike-saml-port setting (0 - 65535, default = 1001). Currently, this setting can only be configured in the CLI as follows:

config system global
    set auth-ike-saml-port <integer>
end

This allows the FortiGate to act as a SAML service provider (SP) for IKEv2 FortiClient remote access IPsec VPN clients by forwarding the FortiClient’s SAML request to the configured SAML identity provider (IdP) for user authentication.

The ike-saml-server setting enables a configured SAML server to listen on a FortiGate interface for SAML authentication requests from FortiClient remote access IPsec VPN clients. Currently, this setting can only be configured in the CLI as follows:

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

FortiClient will validate the certificate presented to it by FortiGate during its initial SAML connection. This certificate can be configured on the FortiGate from the GUI under User & Authentication > Authentication Settings > Certificate under User Authentication Options. To import the certificate on the FortiGate, see Import a certificate.

This certificate can also be configured in the CLI as follows:

config user setting
     set auth-cert <certificate>
end

To prevent an invalid server certificate prompt on FortiClient, the certificate’s common name (CN) should match the IPsec VPN remote gateway’s FQDN. If the certificate is signed by a custom Certificate Authority or one that is not well-known, the Certificate Authority’s (CA) certificate should be imported in FortiClient endpoint’s Trusted Root Certificate Authority store. For details on installing a CA certificate on the endpoint, see Installing certificates on the client.

SAML authentication flow with IPsec

The SAML Authentication flow when using IPsec where FortiGate is the Service Provider (SP), FortiAuthenticator, Entra ID, Okta, or another SAML IdP is the Identity Provider (IdP) and FortiClient is the web-browser as follows:

When the FortiClient user clicks on Connect on FortiClient to connect to IPsec VPN Gateway (i.e. FortiGate), FortiClient first initiates a connection to FortiGate on the auth-ike-saml-port configured on FortiGate.
The FortiGate sends a SAML Authentication Requests inside a redirect to FortiClient. The redirect consists of URLs to reach the IdP.
FortiClient uses these redirects to send SAML Authentication Request to the IdP after which the login page on the IdP opens up.
The user authenticates to the IdP using their SAML credentials configured on the IdP.
The IdP sends a SAML Authentication Response that contains the user and group information in form of SAML Assertions to FortiClient.
FortiClient sends a SAML Authentication Response to FortiGate.
The FortiGate consumes the SAML Authentication Response and SAML Assertions after verifying the IdP using its IdP’s certificate and provides FortiClient with a temporary token ID.
FortiClient initiates IPsec tunnel and presents the token ID for authentication. Upon successful verification of token ID, IPsec tunnel establishes.

Example

In this example, a FortiAuthenticator is configured as the SAML IdP. The FortiAuthenticator WAN IP address is 10.1.100.251, and it listens on port 443 for SAML-based authentication. The FortiGate is the SAML SP. Its WAN IP address is 10.1.100.1 and it listens on port 2002 for traffic from FortiClient for SAML-based authentication. The IKE authentication SAML server is configured on the wan2 interface.

This example assumes the FortiAuthenticator has already been configured as the IdP with the FortiGate as the SP. Refer to SAML IdP and Service providers in the FortiAuthenticator Administration Guide for more information. It also uses the IPsec Wizard to configure the IPsec tunnel with IKEv1 and shows the important configuration needed to then configure IKEv2.

Similar configurations on the FortiGate and FortiClient can be used for authenticating to other Identity Providers.

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:

Configure the SAML authentication port in the CLI:

config system global
    set auth-ike-saml-port 2002
end

Configure the VPN certificate that will be presented to FortiClient:
1. Go to User & Authentication > Authentication Settings > Certificate.
2. Select the certificate from the dropdown menu. To import the certificate on FortiGate, see Import a certificate.

Configure the SAML server entry:

Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.

Enter the name (ipsec-saml). Modify the Address field and configure the FQDN and port that you wish to use for SAML authentication in the following format:

Address

<ipsec-vpn-gateway-fqdn>:<saml-authentication-port>

The other fields Entity ID, Assertion consumer service URL, Single logout service URL will automatically populate based on the Address field configured.

Optionally, select the Certificate from drop down that will be used to sign SAML messages.

The IPsec VPN gateway FQDN should be resolvable by the DNS server configured on the FortiClient endpoint.

Click Next.

Enter the FortiAuthenticator IdP details:

IdP address	10.1.100.251:443
Prefix	ipsec
IdP certificate	REMOTE_Cert_1

Enter the additional SAML attributes that will be used to verify authentication attempts:

Attribute used to identify users	Username
Attribute used to identify groups	Group

The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

Click Submit.

Configure the user group for EAP authentication (used in IKEv2):
1. Go to User & Authentication > User Groups and click Create New.
2. Enter the name, ipsec.
3. In the Remote Groups table, click Add.
4. In the Remote Server dropdown, select ipsec-saml.
5. Set Groups to Specify and enter group1.
6. Click OK.

Configure the IKE authentication SAML server on the interface:

config system interface
    edit "wan2"
        set ike-saml-server "ipsec-saml"
    next
end

Go to VPN > IPsec Wizard to configure the FortiClient dialup VPN using the IPsec Wizard. The IPsec Wizard will by default create IPsec tunnel using IKEv1.

Enter the following settings for VPN Setup:

Name	FCT_SAML
Template type	Remote Access
Remote device type	Client-based and FortiClient

Click Next.

Enter the following settings for Authentication:

Incoming Interface	wan2
Authentication method	Pre-shared Key
Pre-shared key	Enter the pre-shared key.
User Group	ipsec

Click Next.

Enter the following settings for Policy & Routing:

Local interface	port1
Local Address	172.16.200.0
Client Address Range	10.10.10.1-10.10.10.10
Subnet Mask	255.255.255.255
DNS Server	Use System DNS
Enable IPv4 Split Tunnel	Enable
Allow Endpoint Registration	Enable

Click Next.

Enter the following settings for Client Options:

Save Password

Enable

Click Next.
Review the settings, then click Create.

The IPsec Wizard configures the IPsec tunnel using IKEv1 by default. Modify the IPsec tunnel created by the IPsec Wizard to configure IKEv2 instead of IKEv1:

Go to VPN > IPSec tunnels.
Select the configured IKEv1 IPsec tunnel created by the IPsec Wizard and click Edit.
In the Tunnel Template configuration, select Convert to Custom Tunnel.
Go to Authentication and set the IKE Version as 2.
Click OK.

In the CLI, configure the following setting to enable EAP in the IPsec tunnel:

config vpn ipsec phase1-interface
    edit “FCT SAML”
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec"
    next
end

The SAML group configured, <group-name>, must be either configured inside the IPsec Phase 1 setting, set authusrgrp <group-name>, or in the firewall policy, set groups <group-name>, to allow the traffic to flow through the IPsec tunnel. If the SAML group is configured in both IPsec Phase 1 and firewall policy, the traffic stops to flow through the IPsec tunnel.

In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

Connection Name	VPN-Tunnel
Remote Gateway	10.1.100.1 (or FQDN)
Authentication Method	Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.
Customize port	2002
Advanced Settings > VPN Settings
IKE	Version 2
Options	Mode Config

To verify the connection in the GUI:

On the client PC, open FortiClient and click the Remote Access tab.
Select the VPN tunnel, VPN-Tunnel, and click Connect.
If the connection is successful, a FortiClient pop-up will appear briefly indicating that the IKE negotiation succeeded. The Remote Access window now displays VPN Connected and the associated VPN tunnel details.
In FortiOS, go to Dashboard > Network and locate the IPsec widget. Click the widget to expand to full view and view more details.

To configure SAML authentication for FortiClient remote access dialup clients in the CLI:

Configure the SAML authentication port:

config system global
    set auth-ike-saml-port 2002
end

Configure the VPN certificate that will be presented to FortiClient:
```
config user setting
     set auth-cert <certificate>
end
```

Configure the SAML server entry:

config user saml
    edit "ipsec-saml"
        set entity-id "http://10.1.100.1:2002/remote/saml/metadata/"
        set single-sign-on-url "https://10.1.100.1:2002/remote/saml/login"
        set single-logout-url "https://10.1.100.1:2002/remote/saml/logout"
        set idp-entity-id "http://10.1.100.251:443/saml-idp/ipsec/metadata/"
        set idp-single-sign-on-url "https://10.1.100.251:443/saml-idp/ipsec/login/"
        set idp-single-logout-url "https://10.1.100.251:443/saml-idp/ipsec/logout/"
        set idp-cert "REMOTE_Cert_1"
        set user-name "Username"
        set group-name "Groupname"
        set digest-method sha1
    next
end

Configure the user group for EAP authentication:

config user group
    edit "ipsec"
        set member "ipsec-saml"
        config match
            edit 1
                set server-name "ipsec-saml"
                set group-name "group1"
            next
        end
    next
endd

Configure the IKE authentication SAML server on the interface:

config system interface
    edit "wan2"
        set ike-saml-server "ipsec-saml"
    next
end

Configure the IPsec tunnel:

IKEv2 Phase 1 configuration:

config vpn ipsec phase1-interface
    edit "FCT SAML"
        set type dynamic
        set interface "wan2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: FCT SAML (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec"
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.10
        set dns-mode auto
        set ipv4-split-include "FCT SAML_split"
        set save-password enable
        set psksecret **********
    next
end

IKEv2 Phase 2 configuration:

config vpn ipsec phase2-interface
    edit "FCT_SAML"
        set phase1name "FCT_SAML"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

Connection Name	VPN-Tunnel
Remote Gateway	10.1.100.1 (or FQDN)
Authentication Method	Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.
Customize port	2002
Advanced Settings > VPN Settings
IKE	Version 2
Options	Mode Config

To verify the connection diagnostics in the CLI:

Verify the IKE gateway list:

# diagnose vpn ike gateway list
vd: root/0
name: FCT_SAML_0
version: 2
interface: wan2 18
addr: 10.1.100.1:500 -> 10.1.100.253:500
tun_id: 10.10.10.1/::10.0.0.2
remote_location: 0.0.0.0
virtual-interface-addr: 169.254.2.1 -> 0.0.0.0
created: 263s ago
eap-user: user2
2FA: no
groups:
  group1 5
assigned IPv4 address: 10.10.10.1/255.255.255.255
IKE SA: created 1/1  established 1/1  time 110/110/110 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
  id/spi: 0 5a11dfc206db47b3/3628cff5dddb6da2
  direction: responder
  status: established 263-262s ago = 110ms
  proposal: aes256-sha256
  key: ab120e7020f6480e-1c03148a8544b83e-99b9395cdf34faf5-fa618309979be251
  lifetime/rekey: 86400/85867
  DPD sent/recv: 00000000/00000a76

Verify the authd daemon debug output:

# diagnose debug application authd -1
...
[authd_http_on_method_post:5151]: src 10.1.100.253 flag 00008000
[authd_local_saml_auth:5602]: SAML login with UID '48B5CB6355D24C8C9BA77807F6FD9AF1'.
[authd_http_prepare_javascript_redir:3852]: https://10.1.100.1:2002/saml?0704048f9683e491
...

Verify the samld daemon debug output:

# diagnose debug application samld -1
...
samld_send_common_reply [122]:     Attr: 17, 27, magic=0704048f9683e491
samld_send_common_reply [122]:     Attr: 18, 25, 2022-03-30T00:03:07Z
samld_send_common_reply [118]:     Attr: 10, 19, 'Username' 'user2'
samld_send_common_reply [118]:     Attr: 10, 21, 'Groupname' 'group1'
...

Verify the fnbamd daemon debug output:

# diagnose debug application fnbamd -1
...
[2426] handle_req-Rcvd auth cache message
[133] __saml_auth_cache_push-Auth cache created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', SAML_server='ipsec-saml', vfid=0
[140] __saml_auth_cache_push-Hash bucket 227
[182] __saml_auth_cache_push-New auth cache entry is created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', expires=1648598587, SAML_server='ipsec-saml', vfid=0
[1918] handle_req-Rcvd auth req 994781475 for 48B5CB6355D24C8C9BA77807F6FD9AF1 in ipsec opt=00000000 prot=5
[466] __compose_group_list_from_req-Group 'ipsec', type 1
[971] fnbamd_saml_auth_cache_lookup-Authneticating '48B5CB6355D24C8C9BA77807F6FD9AF1'.
[1005] fnbamd_saml_auth_cache_lookup-Authentication passed.
...

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

This information is also available in the FortiOS 7.2 Administration Guide:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

config system global
    set auth-ike-saml-port <integer>
end

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

This certificate can also be configured in the CLI as follows:

config user setting
     set auth-cert <certificate>
end

SAML authentication flow with IPsec

When the FortiClient user clicks on Connect on FortiClient to connect to IPsec VPN Gateway (i.e. FortiGate), FortiClient first initiates a connection to FortiGate on the auth-ike-saml-port configured on FortiGate.
The FortiGate sends a SAML Authentication Requests inside a redirect to FortiClient. The redirect consists of URLs to reach the IdP.
FortiClient uses these redirects to send SAML Authentication Request to the IdP after which the login page on the IdP opens up.
The user authenticates to the IdP using their SAML credentials configured on the IdP.
The IdP sends a SAML Authentication Response that contains the user and group information in form of SAML Assertions to FortiClient.
FortiClient sends a SAML Authentication Response to FortiGate.
The FortiGate consumes the SAML Authentication Response and SAML Assertions after verifying the IdP using its IdP’s certificate and provides FortiClient with a temporary token ID.
FortiClient initiates IPsec tunnel and presents the token ID for authentication. Upon successful verification of token ID, IPsec tunnel establishes.

Example

Similar configurations on the FortiGate and FortiClient can be used for authenticating to other Identity Providers.

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:

Configure the SAML authentication port in the CLI:

config system global
    set auth-ike-saml-port 2002
end

Configure the VPN certificate that will be presented to FortiClient:
1. Go to User & Authentication > Authentication Settings > Certificate.
2. Select the certificate from the dropdown menu. To import the certificate on FortiGate, see Import a certificate.

Configure the SAML server entry:

Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.

Enter the name (ipsec-saml). Modify the Address field and configure the FQDN and port that you wish to use for SAML authentication in the following format:

Address

<ipsec-vpn-gateway-fqdn>:<saml-authentication-port>

The other fields Entity ID, Assertion consumer service URL, Single logout service URL will automatically populate based on the Address field configured.

Optionally, select the Certificate from drop down that will be used to sign SAML messages.

The IPsec VPN gateway FQDN should be resolvable by the DNS server configured on the FortiClient endpoint.

Click Next.

Enter the FortiAuthenticator IdP details:

IdP address	10.1.100.251:443
Prefix	ipsec
IdP certificate	REMOTE_Cert_1

Enter the additional SAML attributes that will be used to verify authentication attempts:

Attribute used to identify users	Username
Attribute used to identify groups	Group

The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

Click Submit.

Configure the user group for EAP authentication (used in IKEv2):
1. Go to User & Authentication > User Groups and click Create New.
2. Enter the name, ipsec.
3. In the Remote Groups table, click Add.
4. In the Remote Server dropdown, select ipsec-saml.
5. Set Groups to Specify and enter group1.
6. Click OK.

Configure the IKE authentication SAML server on the interface:

config system interface
    edit "wan2"
        set ike-saml-server "ipsec-saml"
    next
end

Go to VPN > IPsec Wizard to configure the FortiClient dialup VPN using the IPsec Wizard. The IPsec Wizard will by default create IPsec tunnel using IKEv1.

Enter the following settings for VPN Setup:

Name	FCT_SAML
Template type	Remote Access
Remote device type	Client-based and FortiClient

Click Next.

Enter the following settings for Authentication:

Incoming Interface	wan2
Authentication method	Pre-shared Key
Pre-shared key	Enter the pre-shared key.
User Group	ipsec

Click Next.

Enter the following settings for Policy & Routing:

Local interface	port1
Local Address	172.16.200.0
Client Address Range	10.10.10.1-10.10.10.10
Subnet Mask	255.255.255.255
DNS Server	Use System DNS
Enable IPv4 Split Tunnel	Enable
Allow Endpoint Registration	Enable

Click Next.

Enter the following settings for Client Options:

Save Password

Enable

Click Next.
Review the settings, then click Create.

The IPsec Wizard configures the IPsec tunnel using IKEv1 by default. Modify the IPsec tunnel created by the IPsec Wizard to configure IKEv2 instead of IKEv1:

Go to VPN > IPSec tunnels.
Select the configured IKEv1 IPsec tunnel created by the IPsec Wizard and click Edit.
In the Tunnel Template configuration, select Convert to Custom Tunnel.
Go to Authentication and set the IKE Version as 2.
Click OK.

In the CLI, configure the following setting to enable EAP in the IPsec tunnel:

config vpn ipsec phase1-interface
    edit “FCT SAML”
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec"
    next
end

In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

Connection Name	VPN-Tunnel
Remote Gateway	10.1.100.1 (or FQDN)
Authentication Method	Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.
Customize port	2002
Advanced Settings > VPN Settings
IKE	Version 2
Options	Mode Config

To verify the connection in the GUI:

On the client PC, open FortiClient and click the Remote Access tab.
Select the VPN tunnel, VPN-Tunnel, and click Connect.
If the connection is successful, a FortiClient pop-up will appear briefly indicating that the IKE negotiation succeeded. The Remote Access window now displays VPN Connected and the associated VPN tunnel details.
In FortiOS, go to Dashboard > Network and locate the IPsec widget. Click the widget to expand to full view and view more details.

To configure SAML authentication for FortiClient remote access dialup clients in the CLI:

Configure the SAML authentication port:

config system global
    set auth-ike-saml-port 2002
end

Configure the VPN certificate that will be presented to FortiClient:
```
config user setting
     set auth-cert <certificate>
end
```

Configure the SAML server entry:

config user saml
    edit "ipsec-saml"
        set entity-id "http://10.1.100.1:2002/remote/saml/metadata/"
        set single-sign-on-url "https://10.1.100.1:2002/remote/saml/login"
        set single-logout-url "https://10.1.100.1:2002/remote/saml/logout"
        set idp-entity-id "http://10.1.100.251:443/saml-idp/ipsec/metadata/"
        set idp-single-sign-on-url "https://10.1.100.251:443/saml-idp/ipsec/login/"
        set idp-single-logout-url "https://10.1.100.251:443/saml-idp/ipsec/logout/"
        set idp-cert "REMOTE_Cert_1"
        set user-name "Username"
        set group-name "Groupname"
        set digest-method sha1
    next
end

Configure the user group for EAP authentication:

config user group
    edit "ipsec"
        set member "ipsec-saml"
        config match
            edit 1
                set server-name "ipsec-saml"
                set group-name "group1"
            next
        end
    next
endd

Configure the IKE authentication SAML server on the interface:

config system interface
    edit "wan2"
        set ike-saml-server "ipsec-saml"
    next
end

Configure the IPsec tunnel:

IKEv2 Phase 1 configuration:

config vpn ipsec phase1-interface
    edit "FCT SAML"
        set type dynamic
        set interface "wan2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: FCT SAML (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec"
        set ipv4-start-ip 10.10.10.1
        set ipv4-end-ip 10.10.10.10
        set dns-mode auto
        set ipv4-split-include "FCT SAML_split"
        set save-password enable
        set psksecret **********
    next
end

IKEv2 Phase 2 configuration:

config vpn ipsec phase2-interface
    edit "FCT_SAML"
        set phase1name "FCT_SAML"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

Connection Name	VPN-Tunnel
Remote Gateway	10.1.100.1 (or FQDN)
Authentication Method	Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.
Customize port	2002
Advanced Settings > VPN Settings
IKE	Version 2
Options	Mode Config

To verify the connection diagnostics in the CLI:

Verify the IKE gateway list:

# diagnose vpn ike gateway list
vd: root/0
name: FCT_SAML_0
version: 2
interface: wan2 18
addr: 10.1.100.1:500 -> 10.1.100.253:500
tun_id: 10.10.10.1/::10.0.0.2
remote_location: 0.0.0.0
virtual-interface-addr: 169.254.2.1 -> 0.0.0.0
created: 263s ago
eap-user: user2
2FA: no
groups:
  group1 5
assigned IPv4 address: 10.10.10.1/255.255.255.255
IKE SA: created 1/1  established 1/1  time 110/110/110 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
  id/spi: 0 5a11dfc206db47b3/3628cff5dddb6da2
  direction: responder
  status: established 263-262s ago = 110ms
  proposal: aes256-sha256
  key: ab120e7020f6480e-1c03148a8544b83e-99b9395cdf34faf5-fa618309979be251
  lifetime/rekey: 86400/85867
  DPD sent/recv: 00000000/00000a76

Verify the authd daemon debug output:

# diagnose debug application authd -1
...
[authd_http_on_method_post:5151]: src 10.1.100.253 flag 00008000
[authd_local_saml_auth:5602]: SAML login with UID '48B5CB6355D24C8C9BA77807F6FD9AF1'.
[authd_http_prepare_javascript_redir:3852]: https://10.1.100.1:2002/saml?0704048f9683e491
...

Verify the samld daemon debug output:

# diagnose debug application samld -1
...
samld_send_common_reply [122]:     Attr: 17, 27, magic=0704048f9683e491
samld_send_common_reply [122]:     Attr: 18, 25, 2022-03-30T00:03:07Z
samld_send_common_reply [118]:     Attr: 10, 19, 'Username' 'user2'
samld_send_common_reply [118]:     Attr: 10, 21, 'Groupname' 'group1'
...

Verify the fnbamd daemon debug output:

# diagnose debug application fnbamd -1
...
[2426] handle_req-Rcvd auth cache message
[133] __saml_auth_cache_push-Auth cache created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', SAML_server='ipsec-saml', vfid=0
[140] __saml_auth_cache_push-Hash bucket 227
[182] __saml_auth_cache_push-New auth cache entry is created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', expires=1648598587, SAML_server='ipsec-saml', vfid=0
[1918] handle_req-Rcvd auth req 994781475 for 48B5CB6355D24C8C9BA77807F6FD9AF1 in ipsec opt=00000000 prot=5
[466] __compose_group_list_from_req-Group 'ipsec', type 1
[971] fnbamd_saml_auth_cache_lookup-Authneticating '48B5CB6355D24C8C9BA77807F6FD9AF1'.
[1005] fnbamd_saml_auth_cache_lookup-Authentication passed.
...

New Features

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML authentication flow with IPsec

Example

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:

To verify the connection in the GUI:

To configure SAML authentication for FortiClient remote access dialup clients in the CLI:

To verify the connection diagnostics in the CLI:

More Links

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML authentication flow with IPsec

Example

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:

To verify the connection in the GUI:

To configure SAML authentication for FortiClient remote access dialup clients in the CLI:

To verify the connection diagnostics in the CLI: