ZTNA access proxy with SAML and MFA using FortiAuthenticator example

ZTNA access proxy supports device verification using device certificates that are issued by EMS. To authenticate users, administrators can use either basic or SAML authentication. An advantage of SAML authentication is that multi-factor authentication (MFA) can be provided by the SAML Identity Provider (IdP).

In these example, a FortiAuthenticator is used as the IdP, and MFA is applied to user authentication for remote users accessing the web, RDP, and SSH resources over the ZTNA access proxy. It is assumed that the FortiGate EMS fabric connector has already been successfully connected.

DNS resolutions:

  • ztna.fortidemo.fortinet.com:20443 -> 10.100.64.201:20443

  • entcore.fortidemo.fortinet.com:20443 -> 10.100.64.201:20443

  • fac.fortidemo.fortinet.com - > 10.100.64.103

The FortiAuthenticator (FAC) integrates with Active Directory (AD) on the Windows Domain Controller, which is also acting as the EMS server. Users are synchronized from the AD to the FAC, and remote users are configured with token-based authentication. SAML authentication is configured on the FortiGate, pointing to the FAC as the SAML IdP. The SAML server is applied to the ZTNA access proxy authentication scheme and rule, to provide the foundation for applying user authentication on individual ZTNA rules.

Configuring the FortiAuthenticator

First configure the FortiAuthenticator to synchronize users from AD using LDAP, apply MFA to individual remote users, and be the IdP.

To create a remote authentication server pointing to the Windows AD:
  1. Go to Authentication > Remote Auth. Servers > LDAP and click Create New.

  2. Configure the following:

    Name

    AD

    Primary server name / IP

    10.100.88.5

    Port

    389 (or another port if using LDAPS)

    Based distinguished name

    DC=FORTI-ARBUTUS,DC=LOCAL

    Bind type

    Regular

    Username

    <user account used for LDAP bind>

    Password

    <password of user>

    User object class

    person (default)

    Username attribute

    sAMAccountName (default)

    Group object class

    group (default)

    Obtain group membership from

    Group attribute

    Group membership attribute

    memberOf (default)

    Secure connection

    Enable if using LDAPS or STARTTLS

  3. Click OK.

  4. In the Remote LDAP Users section click Go.

  5. Select the users to import then click OK.

  6. Click OK.

    For more details, see LDAP in the FortiAuthenticator Administration Guide.

To configure a remote LDAP user to use MFA:
  1. Go to Authentication > User Management > Remote Users, and edit a user.

  2. Enable Token-based authentication then select the method of token code delivery.

    For this example, select FortiToken > Mobile, select the Token from the drop-down list, and set the Activation delivery method to email.

  3. In the User Information section, add the email address that will be used for the FortiToken activation.

  4. Click OK.

    An activation email is sent to the user that they can use to install the token to their FortiToken Mobile app.

    For more details, see Remote users in the FortiAuthenticator Administration Guide.

To configure SAML IdP:
  1. Go to Authentication > SAML IdP > General and enable Enable SAML Identity Provider portal.

  2. The Server address is the device FQDN or IP address (configured in the System Information widget at System > Dashboard > Status). In this example, it is fac.fortidemo.fortinet.com.

  3. Set Username input format to username@realm.

  4. Click Add a realm in the Realms table:

    1. Set Realm to the just created LDAP realm (AD).

    2. Optionally, enable Filter and select the required users groups. In this example, Customer Support and Marketing are configured.

  5. Set Default IdP certificate to the certificate that will be used in the HTTPS connection to the IdP portal.

  6. Click OK.

  7. Go to Authentication > SAML IdP > Service Providers, and click Create New to create a service provider (SP) for the FortiGate SP.

  8. Configure the following, which must match what will be configured on the FortiGate:

    SP name

    Enterprise Core

    IdP prefix

    ztna

    Server certificate

    Same certificate as the default IdP certificate used in SAML IdP > General

    SP entity ID

    https://entcore.fortidemo.fortinet.com:20443/ztna/saml/metadata/

    SP ACS (login) URL

    https://entcore.fortidemo.fortinet.com:20443/ztna/saml/login/

    SP SLS (logout) URL

    https://entcore.fortidemo.fortinet.com:20443/ztna/saml/logout/

    Participate in single logout

    Enable

    Where the SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL break down as follows:

    • entcore.fortidemo.fortinet.com - The FQDN that resolves to the FortiGate SP.

    • 20443 - The port that is used to map to the FortiGate's SAML SP service.

    • /ztna/saml - The custom, user defined fileds.

    • /metadata, /login, and /logout - The standard convention used to identify the SP entity, log in portal, and log out portal.

  9. Click OK.

  10. Edit the just created SP object and, under SAML Attribute, click Create New.

  11. Set SAML attribute to the username and set User attribute to Username, then click OK.

  12. Click OK.

Configuring the FortiGate SAML settings

On the FortiGate, a SAML user is used to define the SAML SP and IdP settings. This user is then applied to the ZTNA proxy using an authentication scheme, rule, and settings. A ZTNA server is then created to allow access to the SAML SP server so that end users can reach the FortiGate SP's captive portal. The SAML user must then be added to a ZTNA rule to trigger authentication when accessing the ZTNA access proxy.

To create a new SAML user/server:
  1. Create the SAML user object:

    config user saml
        edit "su-ztna"
            set cert "FortiDemo"
            set entity-id "https://entcore.fortidemo.fortinet.com:20443/ztna/saml/metadata/"
            set single-sign-on-url "https://entcore.fortidemo.fortinet.com:20443/ztna/saml/login/"
            set single-logout-url "https://entcore.fortidemo.fortinet.com:20443/ztna/saml/logout/"
            set idp-entity-id "http://fac.fortidemo.fortinet.com/saml-idp/ztna/metadata/"
            set idp-single-sign-on-url "https://fac.fortidemo.fortinet.com/saml-idp/ztna/login/"
            set idp-single-logout-url "https://fac.fortidemo.fortinet.com/saml-idp/ztna/logout/"
            set idp-cert "REMOTE_Cert_1"
            set user-name "username"
            set digest-method sha1
        next
    end
    

    Where:

    • The FortiDemo certificate is a local certificate that is used to sign SAML messages that are exchanged between the client and the FortiGate SP. In this example, it is used to sign entcore.fortidemo.fortinet.com.

    • The REMOTE_Cert_1 certificate is a remote certificate that is used to identify the IdP. In this example, fac.fortidemo.fortinet.com.

    • The URLs used in the SAML user settings are the same as the ones defined on the FortiAuthenticator.

  2. Add the SAML user object to a new user group:

    config user group
        edit "ztna-users"
            set member "su-ztna"
        next
    end
    
To apply the SAML server to proxy authentication:
  1. Apply the SAML server to an authentication scheme:

    config authentication scheme
        edit "saml-scheme"
            set method saml
            set saml-server "su-ztna"
        next
    end
    
  2. Apply the authentication scheme to an authentication rule:

    config authentication rule
        edit "saml-rule"
            set srcintf "any"
            set srcaddr "all"
            set ip-based disable
            set active-auth-method "saml-scheme"
            set web-auth-cookie enable
        next
    end
    
  3. Configure the active authentication scheme, and a captive portal to serve the log in page for the SAML requests:

    config firewall address
        edit "entcore.fortidemo.fortinet.com"
            set type fqdn
            set fqdn "entcore.fortidemo.fortinet.com"
        next
    end
    config authentication setting
        set active-auth-scheme "saml-scheme"
        set captive-portal "entcore.fortidemo.fortinet.com"
    end
    
To configure a ZTNA access proxy to allow SAML authentication requests to the SP:
  1. Configure the ZTNA server:

    1. Go to Policy & Objects > ZTNA, select the ZTNA Servers tab, and click Create New.

    2. Configure the following:

      Name

      ZTNA-access

      Service

      HTTPS

      External interface

      Any

      External IP

      10.100.64.201

      External port

      20443

      Default certificate

      FortiDemo

    3. Click OK.

  2. Map the access proxy configurations to the SAML server:

    config firewall access-proxy
        edit "ZTNA-access"
            config api-gateway
                edit 1
                    set service samlsp
                    set saml-server "su-ztna"
                next
            end
        next
    end
    
  3. Define the ZTNA rule to allow access to the ZTNA server:

    1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

    2. Configure the following:

      Name

      ZTNA-Rule

      Source (Address)

      all

      Source (User)

      ztna-users

      ZTNA Server

      ZTNA-access

      Action

      Accept

    3. Click OK.

  4. Configure a firewall policy to forward traffic to the access proxy VIP:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following:

      Name

      ZTNA Policy

      ZTNA

      Enabled. Full ZTNA

      Incoming Interface

      Any

      Source

      All

      ZTNA Server

      ZTNA-access

      Schedule

      always

      Service

      ALL

      Action

      Accept

      NAT

      NAT

    3. Click OK.

To configure a VIP and a firewall policy to forward IdP authentication traffic to the FortiAuthenticator:

Remote clients connect to the FortiAuthenticator IdP behind the FortiGate using a VIP. In this example, users connect to the FQDN fac.fortidemo.fortinet.com that resolves to the VIP's external IP address.

  1. Configure the VIP to forward traffic to the FortiAuthenticator:

    1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.

    2. Configure the following:

      Name

      FortiAuthenticator

      Interface

      Any

      External IP address

      10.100.64.103

      Map to > IPv4 address/range

      10.100.88.9

      Port Forwarding

      Enabled

      Protocol

      TCP

      External service port

      443

      Map to IPv4 port

      443

    3. Click OK.

  2. Configure a firewall policy to allow VIP:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following:

      Name

      WAN to FAC

      ZTNA

      Disabled

      Incoming Interface

      Any

      Outgoing Interface

      Any

      Source

      All

      ZTNA Server

      FortiAuthenticator

      Schedule

      always

      Service

      ALL

      Action