Using a browser as an external user-agent for SAML authentication in an SSL VPN connection
FortiClient can use a browser as an external user-agent to perform SAML authentication for SSL VPN tunnel mode, instead of the FortiClient embedded log in window. If a user has already done SAML authentication in the default browser, they do not need to authenticate again in the FortiClient built-in browser. FortiClient 7.0.1 and later is required.
The following CLI is used to set the SAML local redirect port on the FortiClient endpoint after successful SAML authentication:
config vpn ssl settings set saml-redirect-port <port> end
Example
In this example, a user wants to use their default browser to connect to IdP for SAML authentication, without needing to separately authenticate in the FortiClient built-in browser. After authenticating in the browser, FortiClient obtains the authentication cookie directly from the browser.
The authentication process proceeds as follows:
-
The remote client uses FortiClient to connect to the FortiGate SSL VPN on 172.16.58.92:1443 with the Use external browser as user-agent for saml user authentication option enabled.
-
The SSL VPN redirects FortiClient to complete SAML authentication using the Identity Provider (IdP).
-
FortiClient opens the default browser to authenticate the IdP server.
-
After a successful authentication, the browser redirects to localhost:<port>, where the port is defined by the
saml-redirect-port
variable on the FortiGate. -
FortiClient reads the authentication ID passed by the successful authentication, then requests that the SAML authentication process continues on the FortiGate with this ID.
-
The FortiGate continues with the remaining SSL-VPN host-check and other steps until it receives the authentication cookie. It then allow the SSL VPN user to connect using tunnel mode.
To configure the VPN:
-
Configure a SAML user:
config user saml edit "su1" set cert "fgt_gui_automation" set entity-id "http://172.18.58.92:1443/remote/saml/metadata/" set single-sign-on-url "https://172.18.58.92:1443/remote/saml/login/" set single-logout-url "https://172.18.58.92:1443/remote/saml/logout/" set idp-entity-id "http://172.18.58.93:443/saml-idp/222222/metadata/" set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/222222/login/" set idp-single-logout-url "https://172.18.58.93:443/saml-idp/222222/logout/" set idp-cert "REMOTE_Cert_1" set user-name "Username" set group-name "Groupname" set digest-method sha1 next end
-
Add the SAML user to a user group:
config user group edit "saml_grp" set member "su1" next end
-
Create an SSL VPN web portal:
config vpn ssl web portal edit "testportal1" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable ... next end
-
Configure the SSL VPN:
config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 1443 set source-interface "port2" set source-address "all" set source-address6 "all" set default-portal "testportal1" ... end
-
Configure a firewall policy for the SSL VPN and assign the SAML group and a local user to it:
config firewall policy edit 1 set name "policy_to_sslvpn_tunnel" set srcintf "ssl.root" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set nat enable set groups "saml_grp" set users "u1" next end
-
Enable the SAML redirect port:
config vpn ssl settings set saml-redirect-port 8020 end
To connect to the VPN using FortiClient:
-
Configure the SSL VPN connection:
-
Open FortiClient and go to the Remote Access tab and click Configure VPN.
-
Enter a name for the connection.
-
Set the Remote Gateway to the FortiGate port 172.18.58.92.
-
Enable Customize port and set the port to 1443.
-
Enable Enable Single Sign On (SSO) for VPN Tunnel and Use external browser as user-agent for saml user authentication.
-
Click Save.
-
-
On the Remote Access tab select the FGT401E_SSO VPN connection from the dropdown list.
-
Click SAML Login.
The default browser opens to the IdP authentication page.
-
Enter the username and password, then click Login.
The authenticated result is sent back to FortiClient and the connection is established.
To check the connection on the FortiGate:
# get vpn ssl monitor SSL-VPN Login Users: Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth 1 fac3 saml_grp 256(1) N/A 10.1.100.254 0/0 0/0 0 SSL-VPN sessions: Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP 0 fac3 saml_grp 10.1.100.254 5 9990/8449 10.212.134.200,fdff:ffff::1
# diagnose firewall auth list 10.212.134.200, fac3 type: fw, id: 0, duration: 6, idled: 0 expire: 259199, allow-idle: 259200 flag(80): sslvpn server: su1 packets: in 28 out 28, bytes: in 23042 out 8561 group_id: 5 group_name: saml_grp