Configuring SAML SSO in the GUI
SAML single sign-on can be configured in the GUI under User & Authentication > User Groups. The GUI wizard helps generate the service provider (SP) URLs based on the supplied SP address. The SAML object that is created can be selected when defining new user groups.
In this example, FortiGate AA is the inside firewall (172.16.200.101). The other FortiGate is the outside firewall that only does port forwarding from 172.16.116.151:55443 to 172.16.200.101:443. FortiGate AA is configured to allow full SSL VPN access to the network in port2. This SSL VPN portal allows users from the user group saml_grp and SAML server saml_test to log in. In this topology, a FortiAuthenticator acts as the SAML identity provider (IdP), while the FortiGate is the SAML SP. External users are directed to the FortiAuthenticator IdP login URL to authenticate. For more information about configuring a FortiAuthenticator as an IdP, see Service providers.
The FortiAuthenticator in this example has the following configuration:
To configure FortiGate AA as an SP:
- Create a new SAML server entry:
- Go to User & Authentication > Single Sign-On and click Create New. The single-sign on wizard opens.
- Enter a name (saml_test). The other fields will automatically populate based on the FortiGate's WAN IP and port.
Click the icon beside the SP entity ID, SP single sign-on URL, and SP single logout URL fields to copy the text.
- Click Next.
- Enter the FortiAuthenticator IdP details:
IdP address
172.18.58.93:443
Prefix
43211234
IdP certificate
REMOTE_Cert_1
- Enter the additional SAML attributes that will be used to verify authentication attempts:
Attribute used to identify users
Username
Attribute used to identify groups
Group
The IdP must be configured to include these attributes in the SAML attribute statement. In FortiAuthenticator, this is configured in the Assertion Attributes section.
- Click Submit.
The following is created in the backend:
config user saml edit "saml_test" set cert "fgt_gui_automation" set entity-id "http://172.16.116.151:55443/remote/saml/metadata/" set single-sign-on-url "https://172.16.116.151:55443/remote/saml/login/" set single-logout-url "https://172.16.116.151:55443/remote/saml/logout/" set idp-entity-id "http://172.18.58.93:443/saml-idp/43211234/metadata/" set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/43211234/login/" set idp-single-logout-url "https://172.18.58.93:443/saml-idp/43211234/logout/" set idp-cert "REMOTE_Cert_1" set user-name "Username" set group-name "Group" set digest-method sha1 next end
- Create the SAML group:
- Go to User & Authentication > User Groups and click Create New.
- Enter a name, saml_grp.
- In the Remote Groups table, click Add.
- In the Remote Server dropdown, select saml_test and click OK.
- Click OK.
The following is created in the backend:
config user group edit "saml_grp" set member "saml_test" next end
- Add the SAML group in the SSL VPN settings:
- Go to VPN > SSL-VPN Settings.
- In the Authentication/Portal Mapping table, click Create New.
- For Users/Groups, click the + and select saml_grp.
- Select the Portal (testportal1).
- Click OK.
- Click Apply.
- Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Enter the following:
Incoming Interface
ssl.root
Outgoing Interface
port2
Source
all, saml_grp, saml_test
- Configure the other settings as needed.
- Click OK.
- On the client, log in with SAML using the SSL VPN web portal.
If you are using FortiClient for tunnel mode access, enable Enable Single Sign On (SSO) for VPN Tunnel in the SSL-VPN connection settings to use the SAML log in. See Configuring an SSL VPN connection for more information.
- In FortiOS, go to Dashboard > Network and click the SSL-VPN widget to expand to full view and verify the connection information.