Fortinet white logo
Fortinet white logo

New Features

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Note

This information is also available in the FortiOS 7.2 Administration Guide:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients is now supported. This feature requires FortiClient 7.2.4 and FortiClient supports only using IKEv2. Two factor authentication using FortiToken push is also supported.

The FortiGate authd daemon has been enhanced to support SAML authentication and accepts local-in traffic from the FortiClient by the TCP port number configured in the auth-ike-saml-port setting (0 - 65535, default = 1001). Currently, this setting can only be configured in the CLI as follows:

config system global
    set auth-ike-saml-port <integer>
end

This allows the FortiGate to act as a SAML service provider (SP) for IKEv2 FortiClient remote access IPsec VPN clients by forwarding the FortiClient’s SAML request to the configured SAML identity provider (IdP) for user authentication.

The ike-saml-server setting enables a configured SAML server to listen on a FortiGate interface for SAML authentication requests from FortiClient remote access IPsec VPN clients. Currently, this setting can only be configured in the CLI as follows:

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

FortiClient will validate the certificate presented to it by FortiGate during its initial SAML connection. This certificate can be configured on the FortiGate from the GUI under User & Authentication > Authentication Settings > Certificate under User Authentication Options. To import the certificate on the FortiGate, see Import a certificate.

This certificate can also be configured in the CLI as follows:

config user setting
     set auth-cert <certificate>
end

To prevent an invalid server certificate prompt on FortiClient, the certificate’s common name (CN) should match the IPsec VPN remote gateway’s FQDN. If the certificate is signed by a custom Certificate Authority or one that is not well-known, the Certificate Authority’s (CA) certificate should be imported in FortiClient endpoint’s Trusted Root Certificate Authority store. For details on installing a CA certificate on the endpoint, see Installing certificates on the client.

SAML authentication flow with IPsec

The SAML Authentication flow when using IPsec where FortiGate is the Service Provider (SP), FortiAuthenticator, Entra ID, Okta, or another SAML IdP is the Identity Provider (IdP) and FortiClient is the web-browser as follows:

  1. When the FortiClient user clicks on Connect on FortiClient to connect to IPsec VPN Gateway (i.e. FortiGate), FortiClient first initiates a connection to FortiGate on the auth-ike-saml-port configured on FortiGate.

  2. The FortiGate sends a SAML Authentication Requests inside a redirect to FortiClient. The redirect consists of URLs to reach the IdP.

  3. FortiClient uses these redirects to send SAML Authentication Request to the IdP after which the login page on the IdP opens up.

  4. The user authenticates to the IdP using their SAML credentials configured on the IdP.

  5. The IdP sends a SAML Authentication Response that contains the user and group information in form of SAML Assertions to FortiClient.

  6. FortiClient sends a SAML Authentication Response to FortiGate.

  7. The FortiGate consumes the SAML Authentication Response and SAML Assertions after verifying the IdP using its IdP’s certificate and provides FortiClient with a temporary token ID.

  8. FortiClient initiates IPsec tunnel and presents the token ID for authentication. Upon successful verification of token ID, IPsec tunnel establishes.

Example

In this example, a FortiAuthenticator is configured as the SAML IdP. The FortiAuthenticator WAN IP address is 10.1.100.251, and it listens on port 443 for SAML-based authentication. The FortiGate is the SAML SP. Its WAN IP address is 10.1.100.1 and it listens on port 2002 for traffic from FortiClient for SAML-based authentication. The IKE authentication SAML server is configured on the wan2 interface.

This example assumes the FortiAuthenticator has already been configured as the IdP with the FortiGate as the SP. Refer to SAML IdP and Service providers in the FortiAuthenticator Administration Guide for more information. It also uses the IPsec Wizard to configure the IPsec tunnel with IKEv1 and shows the important configuration needed to then configure IKEv2.

Similar configurations on the FortiGate and FortiClient can be used for authenticating to other Identity Providers.

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:
  1. Configure the SAML authentication port in the CLI:

    config system global
        set auth-ike-saml-port 2002
    end
  2. Configure the VPN certificate that will be presented to FortiClient:

    1. Go to User & Authentication > Authentication Settings > Certificate.

    2. Select the certificate from the dropdown menu. To import the certificate on FortiGate, see Import a certificate.

  3. Configure the SAML server entry:

    1. Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.

    2. Enter the name (ipsec-saml). Modify the Address field and configure the FQDN and port that you wish to use for SAML authentication in the following format:

      Address

      <ipsec-vpn-gateway-fqdn>:<saml-authentication-port>

      The other fields Entity ID, Assertion consumer service URL, Single logout service URL will automatically populate based on the Address field configured.

      Optionally, select the Certificate from drop down that will be used to sign SAML messages.

      Note

      The IPsec VPN gateway FQDN should be resolvable by the DNS server configured on the FortiClient endpoint.

    3. Click Next.

    4. Enter the FortiAuthenticator IdP details:

      IdP address

      10.1.100.251:443

      Prefix

      ipsec

      IdP certificate

      REMOTE_Cert_1

    5. Enter the additional SAML attributes that will be used to verify authentication attempts:

      Attribute used to identify users

      Username

      Attribute used to identify groups

      Group

      The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

    6. Click Submit.

  4. Configure the user group for EAP authentication (used in IKEv2):

    1. Go to User & Authentication > User Groups and click Create New.

    2. Enter the name, ipsec.

    3. In the Remote Groups table, click Add.

    4. In the Remote Server dropdown, select ipsec-saml.

    5. Set Groups to Specify and enter group1.

    6. Click OK.

  5. Configure the IKE authentication SAML server on the interface:

    config system interface
        edit "wan2"
            set ike-saml-server "ipsec-saml"
        next
    end
  6. Go to VPN > IPsec Wizard to configure the FortiClient dialup VPN using the IPsec Wizard. The IPsec Wizard will by default create IPsec tunnel using IKEv1.

    1. Enter the following settings for VPN Setup:

      Name

      FCT_SAML

      Template type

      Remote Access

      Remote device type

      Client-based and FortiClient

    2. Click Next.

    3. Enter the following settings for Authentication:

      Incoming Interface

      wan2

      Authentication method

      Pre-shared Key

      Pre-shared key

      Enter the pre-shared key.

      User Group

      ipsec

    4. Click Next.

    5. Enter the following settings for Policy & Routing:

      Local interface

      port1

      Local Address

      172.16.200.0

      Client Address Range

      10.10.10.1-10.10.10.10

      Subnet Mask

      255.255.255.255

      DNS Server

      Use System DNS

      Enable IPv4 Split Tunnel

      Enable

      Allow Endpoint Registration

      Enable

    6. Click Next.

    7. Enter the following settings for Client Options:

      Save Password

      Enable

    8. Click Next.

    9. Review the settings, then click Create.

  7. The IPsec Wizard configures the IPsec tunnel using IKEv1 by default. Modify the IPsec tunnel created by the IPsec Wizard to configure IKEv2 instead of IKEv1:

    1. Go to VPN > IPSec tunnels.

    2. Select the configured IKEv1 IPsec tunnel created by the IPsec Wizard and click Edit.

    3. In the Tunnel Template configuration, select Convert to Custom Tunnel.

    4. Go to Authentication and set the IKE Version as 2.

    5. Click OK.

    6. In the CLI, configure the following setting to enable EAP in the IPsec tunnel:

      config vpn ipsec phase1-interface
          edit “FCT SAML”
              set eap enable
              set eap-identity send-request
              set authusrgrp "ipsec"
          next
      end
      Note

      The SAML group configured, <group-name>, must be either configured inside the IPsec Phase 1 setting, set authusrgrp <group-name>, or in the firewall policy, set groups <group-name>, to allow the traffic to flow through the IPsec tunnel. If the SAML group is configured in both IPsec Phase 1 and firewall policy, the traffic stops to flow through the IPsec tunnel.

  8. In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

    Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

    Connection Name

    VPN-Tunnel

    Remote Gateway

    10.1.100.1 (or FQDN)

    Authentication Method

    Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.

    Customize port

    2002

    Advanced Settings > VPN Settings

    IKE

    Version 2

    Options

    Mode Config

To verify the connection in the GUI:
  1. On the client PC, open FortiClient and click the Remote Access tab.
  2. Select the VPN tunnel, VPN-Tunnel, and click Connect.
  3. If the connection is successful, a FortiClient pop-up will appear briefly indicating that the IKE negotiation succeeded. The Remote Access window now displays VPN Connected and the associated VPN tunnel details.
  4. In FortiOS, go to Dashboard > Network and locate the IPsec widget. Click the widget to expand to full view and view more details.
To configure SAML authentication for FortiClient remote access dialup clients in the CLI:
  1. Configure the SAML authentication port:

    config system global
        set auth-ike-saml-port 2002
    end
  2. Configure the VPN certificate that will be presented to FortiClient:

    config user setting
         set auth-cert <certificate>
    end
  3. Configure the SAML server entry:

    config user saml
        edit "ipsec-saml"
            set entity-id "http://10.1.100.1:2002/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.100.1:2002/remote/saml/login"
            set single-logout-url "https://10.1.100.1:2002/remote/saml/logout"
            set idp-entity-id "http://10.1.100.251:443/saml-idp/ipsec/metadata/"
            set idp-single-sign-on-url "https://10.1.100.251:443/saml-idp/ipsec/login/"
            set idp-single-logout-url "https://10.1.100.251:443/saml-idp/ipsec/logout/"
            set idp-cert "REMOTE_Cert_1"
            set user-name "Username"
            set group-name "Groupname"
            set digest-method sha1
        next
    end
  4. Configure the user group for EAP authentication:

    config user group
        edit "ipsec"
            set member "ipsec-saml"
            config match
                edit 1
                    set server-name "ipsec-saml"
                    set group-name "group1"
                next
            end
        next
    endd
  5. Configure the IKE authentication SAML server on the interface:

    config system interface
        edit "wan2"
            set ike-saml-server "ipsec-saml"
        next
    end
  6. Configure the IPsec tunnel:

    • IKEv2 Phase 1 configuration:

      config vpn ipsec phase1-interface
          edit "FCT SAML"
              set type dynamic
              set interface "wan2"
              set ike-version 2
              set peertype any
              set net-device disable
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set comments "VPN: FCT SAML (Created by VPN wizard)"
              set eap enable
              set eap-identity send-request
              set authusrgrp "ipsec"
              set ipv4-start-ip 10.10.10.1
              set ipv4-end-ip 10.10.10.10
              set dns-mode auto
              set ipv4-split-include "FCT SAML_split"
              set save-password enable
              set psksecret **********
          next
      end
    • IKEv2 Phase 2 configuration:

      config vpn ipsec phase2-interface
          edit "FCT_SAML"
              set phase1name "FCT_SAML"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  7. In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

    Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

    Connection Name

    VPN-Tunnel

    Remote Gateway

    10.1.100.1 (or FQDN)

    Authentication Method

    Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.

    Customize port

    2002

    Advanced Settings > VPN Settings

    IKE

    Version 2

    Options

    Mode Config

To verify the connection diagnostics in the CLI:
  1. Verify the IKE gateway list:
    # diagnose vpn ike gateway list
    vd: root/0
    name: FCT_SAML_0
    version: 2
    interface: wan2 18
    addr: 10.1.100.1:500 -> 10.1.100.253:500
    tun_id: 10.10.10.1/::10.0.0.2
    remote_location: 0.0.0.0
    virtual-interface-addr: 169.254.2.1 -> 0.0.0.0
    created: 263s ago
    eap-user: user2
    2FA: no
    groups:
      group1 5
    assigned IPv4 address: 10.10.10.1/255.255.255.255
    IKE SA: created 1/1  established 1/1  time 110/110/110 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
      id/spi: 0 5a11dfc206db47b3/3628cff5dddb6da2
      direction: responder
      status: established 263-262s ago = 110ms
      proposal: aes256-sha256
      key: ab120e7020f6480e-1c03148a8544b83e-99b9395cdf34faf5-fa618309979be251
      lifetime/rekey: 86400/85867
      DPD sent/recv: 00000000/00000a76
  2. Verify the authd daemon debug output:
    # diagnose debug application authd -1
    ...
    [authd_http_on_method_post:5151]: src 10.1.100.253 flag 00008000
    [authd_local_saml_auth:5602]: SAML login with UID '48B5CB6355D24C8C9BA77807F6FD9AF1'.
    [authd_http_prepare_javascript_redir:3852]: https://10.1.100.1:2002/saml?0704048f9683e491
    ...
  3. Verify the samld daemon debug output:
    # diagnose debug application samld -1
    ...
    samld_send_common_reply [122]:     Attr: 17, 27, magic=0704048f9683e491
    samld_send_common_reply [122]:     Attr: 18, 25, 2022-03-30T00:03:07Z
    samld_send_common_reply [118]:     Attr: 10, 19, 'Username' 'user2'
    samld_send_common_reply [118]:     Attr: 10, 21, 'Groupname' 'group1'
    ...
  4. Verify the fnbamd daemon debug output:
    # diagnose debug application fnbamd -1
    ...
    [2426] handle_req-Rcvd auth cache message
    [133] __saml_auth_cache_push-Auth cache created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', SAML_server='ipsec-saml', vfid=0
    [140] __saml_auth_cache_push-Hash bucket 227
    [182] __saml_auth_cache_push-New auth cache entry is created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', expires=1648598587, SAML_server='ipsec-saml', vfid=0
    [1918] handle_req-Rcvd auth req 994781475 for 48B5CB6355D24C8C9BA77807F6FD9AF1 in ipsec opt=00000000 prot=5
    [466] __compose_group_list_from_req-Group 'ipsec', type 1
    [971] fnbamd_saml_auth_cache_lookup-Authneticating '48B5CB6355D24C8C9BA77807F6FD9AF1'.
    [1005] fnbamd_saml_auth_cache_lookup-Authentication passed.
    ...

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Note

This information is also available in the FortiOS 7.2 Administration Guide:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients is now supported. This feature requires FortiClient 7.2.4 and FortiClient supports only using IKEv2. Two factor authentication using FortiToken push is also supported.

The FortiGate authd daemon has been enhanced to support SAML authentication and accepts local-in traffic from the FortiClient by the TCP port number configured in the auth-ike-saml-port setting (0 - 65535, default = 1001). Currently, this setting can only be configured in the CLI as follows:

config system global
    set auth-ike-saml-port <integer>
end

This allows the FortiGate to act as a SAML service provider (SP) for IKEv2 FortiClient remote access IPsec VPN clients by forwarding the FortiClient’s SAML request to the configured SAML identity provider (IdP) for user authentication.

The ike-saml-server setting enables a configured SAML server to listen on a FortiGate interface for SAML authentication requests from FortiClient remote access IPsec VPN clients. Currently, this setting can only be configured in the CLI as follows:

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

FortiClient will validate the certificate presented to it by FortiGate during its initial SAML connection. This certificate can be configured on the FortiGate from the GUI under User & Authentication > Authentication Settings > Certificate under User Authentication Options. To import the certificate on the FortiGate, see Import a certificate.

This certificate can also be configured in the CLI as follows:

config user setting
     set auth-cert <certificate>
end

To prevent an invalid server certificate prompt on FortiClient, the certificate’s common name (CN) should match the IPsec VPN remote gateway’s FQDN. If the certificate is signed by a custom Certificate Authority or one that is not well-known, the Certificate Authority’s (CA) certificate should be imported in FortiClient endpoint’s Trusted Root Certificate Authority store. For details on installing a CA certificate on the endpoint, see Installing certificates on the client.

SAML authentication flow with IPsec

The SAML Authentication flow when using IPsec where FortiGate is the Service Provider (SP), FortiAuthenticator, Entra ID, Okta, or another SAML IdP is the Identity Provider (IdP) and FortiClient is the web-browser as follows:

  1. When the FortiClient user clicks on Connect on FortiClient to connect to IPsec VPN Gateway (i.e. FortiGate), FortiClient first initiates a connection to FortiGate on the auth-ike-saml-port configured on FortiGate.

  2. The FortiGate sends a SAML Authentication Requests inside a redirect to FortiClient. The redirect consists of URLs to reach the IdP.

  3. FortiClient uses these redirects to send SAML Authentication Request to the IdP after which the login page on the IdP opens up.

  4. The user authenticates to the IdP using their SAML credentials configured on the IdP.

  5. The IdP sends a SAML Authentication Response that contains the user and group information in form of SAML Assertions to FortiClient.

  6. FortiClient sends a SAML Authentication Response to FortiGate.

  7. The FortiGate consumes the SAML Authentication Response and SAML Assertions after verifying the IdP using its IdP’s certificate and provides FortiClient with a temporary token ID.

  8. FortiClient initiates IPsec tunnel and presents the token ID for authentication. Upon successful verification of token ID, IPsec tunnel establishes.

Example

In this example, a FortiAuthenticator is configured as the SAML IdP. The FortiAuthenticator WAN IP address is 10.1.100.251, and it listens on port 443 for SAML-based authentication. The FortiGate is the SAML SP. Its WAN IP address is 10.1.100.1 and it listens on port 2002 for traffic from FortiClient for SAML-based authentication. The IKE authentication SAML server is configured on the wan2 interface.

This example assumes the FortiAuthenticator has already been configured as the IdP with the FortiGate as the SP. Refer to SAML IdP and Service providers in the FortiAuthenticator Administration Guide for more information. It also uses the IPsec Wizard to configure the IPsec tunnel with IKEv1 and shows the important configuration needed to then configure IKEv2.

Similar configurations on the FortiGate and FortiClient can be used for authenticating to other Identity Providers.

To configure SAML authentication for FortiClient remote access dialup clients in the GUI:
  1. Configure the SAML authentication port in the CLI:

    config system global
        set auth-ike-saml-port 2002
    end
  2. Configure the VPN certificate that will be presented to FortiClient:

    1. Go to User & Authentication > Authentication Settings > Certificate.

    2. Select the certificate from the dropdown menu. To import the certificate on FortiGate, see Import a certificate.

  3. Configure the SAML server entry:

    1. Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.

    2. Enter the name (ipsec-saml). Modify the Address field and configure the FQDN and port that you wish to use for SAML authentication in the following format:

      Address

      <ipsec-vpn-gateway-fqdn>:<saml-authentication-port>

      The other fields Entity ID, Assertion consumer service URL, Single logout service URL will automatically populate based on the Address field configured.

      Optionally, select the Certificate from drop down that will be used to sign SAML messages.

      Note

      The IPsec VPN gateway FQDN should be resolvable by the DNS server configured on the FortiClient endpoint.

    3. Click Next.

    4. Enter the FortiAuthenticator IdP details:

      IdP address

      10.1.100.251:443

      Prefix

      ipsec

      IdP certificate

      REMOTE_Cert_1

    5. Enter the additional SAML attributes that will be used to verify authentication attempts:

      Attribute used to identify users

      Username

      Attribute used to identify groups

      Group

      The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.

    6. Click Submit.

  4. Configure the user group for EAP authentication (used in IKEv2):

    1. Go to User & Authentication > User Groups and click Create New.

    2. Enter the name, ipsec.

    3. In the Remote Groups table, click Add.

    4. In the Remote Server dropdown, select ipsec-saml.

    5. Set Groups to Specify and enter group1.

    6. Click OK.

  5. Configure the IKE authentication SAML server on the interface:

    config system interface
        edit "wan2"
            set ike-saml-server "ipsec-saml"
        next
    end
  6. Go to VPN > IPsec Wizard to configure the FortiClient dialup VPN using the IPsec Wizard. The IPsec Wizard will by default create IPsec tunnel using IKEv1.

    1. Enter the following settings for VPN Setup:

      Name

      FCT_SAML

      Template type

      Remote Access

      Remote device type

      Client-based and FortiClient

    2. Click Next.

    3. Enter the following settings for Authentication:

      Incoming Interface

      wan2

      Authentication method

      Pre-shared Key

      Pre-shared key

      Enter the pre-shared key.

      User Group

      ipsec

    4. Click Next.

    5. Enter the following settings for Policy & Routing:

      Local interface

      port1

      Local Address

      172.16.200.0

      Client Address Range

      10.10.10.1-10.10.10.10

      Subnet Mask

      255.255.255.255

      DNS Server

      Use System DNS

      Enable IPv4 Split Tunnel

      Enable

      Allow Endpoint Registration

      Enable

    6. Click Next.

    7. Enter the following settings for Client Options:

      Save Password

      Enable

    8. Click Next.

    9. Review the settings, then click Create.

  7. The IPsec Wizard configures the IPsec tunnel using IKEv1 by default. Modify the IPsec tunnel created by the IPsec Wizard to configure IKEv2 instead of IKEv1:

    1. Go to VPN > IPSec tunnels.

    2. Select the configured IKEv1 IPsec tunnel created by the IPsec Wizard and click Edit.

    3. In the Tunnel Template configuration, select Convert to Custom Tunnel.

    4. Go to Authentication and set the IKE Version as 2.

    5. Click OK.

    6. In the CLI, configure the following setting to enable EAP in the IPsec tunnel:

      config vpn ipsec phase1-interface
          edit “FCT SAML”
              set eap enable
              set eap-identity send-request
              set authusrgrp "ipsec"
          next
      end
      Note

      The SAML group configured, <group-name>, must be either configured inside the IPsec Phase 1 setting, set authusrgrp <group-name>, or in the firewall policy, set groups <group-name>, to allow the traffic to flow through the IPsec tunnel. If the SAML group is configured in both IPsec Phase 1 and firewall policy, the traffic stops to flow through the IPsec tunnel.

  8. In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

    Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

    Connection Name

    VPN-Tunnel

    Remote Gateway

    10.1.100.1 (or FQDN)

    Authentication Method

    Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.

    Customize port

    2002

    Advanced Settings > VPN Settings

    IKE

    Version 2

    Options

    Mode Config

To verify the connection in the GUI:
  1. On the client PC, open FortiClient and click the Remote Access tab.
  2. Select the VPN tunnel, VPN-Tunnel, and click Connect.
  3. If the connection is successful, a FortiClient pop-up will appear briefly indicating that the IKE negotiation succeeded. The Remote Access window now displays VPN Connected and the associated VPN tunnel details.
  4. In FortiOS, go to Dashboard > Network and locate the IPsec widget. Click the widget to expand to full view and view more details.
To configure SAML authentication for FortiClient remote access dialup clients in the CLI:
  1. Configure the SAML authentication port:

    config system global
        set auth-ike-saml-port 2002
    end
  2. Configure the VPN certificate that will be presented to FortiClient:

    config user setting
         set auth-cert <certificate>
    end
  3. Configure the SAML server entry:

    config user saml
        edit "ipsec-saml"
            set entity-id "http://10.1.100.1:2002/remote/saml/metadata/"
            set single-sign-on-url "https://10.1.100.1:2002/remote/saml/login"
            set single-logout-url "https://10.1.100.1:2002/remote/saml/logout"
            set idp-entity-id "http://10.1.100.251:443/saml-idp/ipsec/metadata/"
            set idp-single-sign-on-url "https://10.1.100.251:443/saml-idp/ipsec/login/"
            set idp-single-logout-url "https://10.1.100.251:443/saml-idp/ipsec/logout/"
            set idp-cert "REMOTE_Cert_1"
            set user-name "Username"
            set group-name "Groupname"
            set digest-method sha1
        next
    end
  4. Configure the user group for EAP authentication:

    config user group
        edit "ipsec"
            set member "ipsec-saml"
            config match
                edit 1
                    set server-name "ipsec-saml"
                    set group-name "group1"
                next
            end
        next
    endd
  5. Configure the IKE authentication SAML server on the interface:

    config system interface
        edit "wan2"
            set ike-saml-server "ipsec-saml"
        next
    end
  6. Configure the IPsec tunnel:

    • IKEv2 Phase 1 configuration:

      config vpn ipsec phase1-interface
          edit "FCT SAML"
              set type dynamic
              set interface "wan2"
              set ike-version 2
              set peertype any
              set net-device disable
              set mode-cfg enable
              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
              set comments "VPN: FCT SAML (Created by VPN wizard)"
              set eap enable
              set eap-identity send-request
              set authusrgrp "ipsec"
              set ipv4-start-ip 10.10.10.1
              set ipv4-end-ip 10.10.10.10
              set dns-mode auto
              set ipv4-split-include "FCT SAML_split"
              set save-password enable
              set psksecret **********
          next
      end
    • IKEv2 Phase 2 configuration:

      config vpn ipsec phase2-interface
          edit "FCT_SAML"
              set phase1name "FCT_SAML"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  7. In FortiClient, configure the IPsec VPN connection (see Configuring an IPsec VPN connection in the FortiClient Administration Guide).

    Use the following settings on FortiClient to configure IKEv2 IPsec VPN connection:

    Connection Name

    VPN-Tunnel

    Remote Gateway

    10.1.100.1 (or FQDN)

    Authentication Method

    Pre-shared key with Enable Single Sign On (SSO) for VPN Tunnel enabled.

    Customize port

    2002

    Advanced Settings > VPN Settings

    IKE

    Version 2

    Options

    Mode Config

To verify the connection diagnostics in the CLI:
  1. Verify the IKE gateway list:
    # diagnose vpn ike gateway list
    vd: root/0
    name: FCT_SAML_0
    version: 2
    interface: wan2 18
    addr: 10.1.100.1:500 -> 10.1.100.253:500
    tun_id: 10.10.10.1/::10.0.0.2
    remote_location: 0.0.0.0
    virtual-interface-addr: 169.254.2.1 -> 0.0.0.0
    created: 263s ago
    eap-user: user2
    2FA: no
    groups:
      group1 5
    assigned IPv4 address: 10.10.10.1/255.255.255.255
    IKE SA: created 1/1  established 1/1  time 110/110/110 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
      id/spi: 0 5a11dfc206db47b3/3628cff5dddb6da2
      direction: responder
      status: established 263-262s ago = 110ms
      proposal: aes256-sha256
      key: ab120e7020f6480e-1c03148a8544b83e-99b9395cdf34faf5-fa618309979be251
      lifetime/rekey: 86400/85867
      DPD sent/recv: 00000000/00000a76
  2. Verify the authd daemon debug output:
    # diagnose debug application authd -1
    ...
    [authd_http_on_method_post:5151]: src 10.1.100.253 flag 00008000
    [authd_local_saml_auth:5602]: SAML login with UID '48B5CB6355D24C8C9BA77807F6FD9AF1'.
    [authd_http_prepare_javascript_redir:3852]: https://10.1.100.1:2002/saml?0704048f9683e491
    ...
  3. Verify the samld daemon debug output:
    # diagnose debug application samld -1
    ...
    samld_send_common_reply [122]:     Attr: 17, 27, magic=0704048f9683e491
    samld_send_common_reply [122]:     Attr: 18, 25, 2022-03-30T00:03:07Z
    samld_send_common_reply [118]:     Attr: 10, 19, 'Username' 'user2'
    samld_send_common_reply [118]:     Attr: 10, 21, 'Groupname' 'group1'
    ...
  4. Verify the fnbamd daemon debug output:
    # diagnose debug application fnbamd -1
    ...
    [2426] handle_req-Rcvd auth cache message
    [133] __saml_auth_cache_push-Auth cache created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', SAML_server='ipsec-saml', vfid=0
    [140] __saml_auth_cache_push-Hash bucket 227
    [182] __saml_auth_cache_push-New auth cache entry is created, user='48B5CB6355D24C8C9BA77807F6FD9AF1', expires=1648598587, SAML_server='ipsec-saml', vfid=0
    [1918] handle_req-Rcvd auth req 994781475 for 48B5CB6355D24C8C9BA77807F6FD9AF1 in ipsec opt=00000000 prot=5
    [466] __compose_group_list_from_req-Group 'ipsec', type 1
    [971] fnbamd_saml_auth_cache_lookup-Authneticating '48B5CB6355D24C8C9BA77807F6FD9AF1'.
    [1005] fnbamd_saml_auth_cache_lookup-Authentication passed.
    ...