Outbound firewall authentication for a SAML user
When you configure a FortiGate as a service provider (SP), you can create an authentication profile that uses SAML for firewall authentication.
|
You must use the identity provider's (IdP) remote certificate on the SPs. |
The following example uses a FortiGate as an SP and FortiAuthenticator as the IdP server:
To configure firewall authentication:
- Configure the FortiGate SP to be a SAML user:
config user saml edit "fac-firewall" set entity-id "http://10.2.2.2:1000/saml/metadata/" set single-sign-on-url "https://10.2.2.2:1003/saml/login/" set single-logout-url "https://10.2.2.2:1003/saml/logout/" set idp-entity-id "http://172.18.58.93:443/saml-idp/bbbbbb/metadata/" set idp-single-sign-on-url "https://172.18.58.93:443/saml-idp/bbbbbb/login/" set idp-single-logout-url "https://172.18.58.93:443/saml-idp/bbbbbb/logout/" set idp-cert "REMOTE_Cert_3" set user-name "username" set group-name "group" next end - Add the SAML user to the user group (optionally, you can configure group matching):
config user group edit "saml_firewall" set member "fac-firewall" config match edit 1 set server-name "fac-firewall" set group-name "user_group1" next end next end - Add the SAML user group to a firewall policy:
config firewall policy edit 2 set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "pc4" set action accept set schedule "always" set service "ALL" set logtraffic all set fsso disable set groups "saml_firewall" "group_local" set users "first" set nat enable next end - Configure the FortiAuthenticator IdP as needed.
- Run HTTP/HTTPS authentication for a remote user. The SAML login page appears:
