ZTNA application gateway with SAML authentication example

SAML can be used with ZTNA as an authentication method. This allows user credentials to be stored remotely on an Identity Provider (IdP), with the FortiProxy acting as the Service Provider (SP) to redirect users to the IdP for authentication. Once authenticated, the FortiProxy as the trust broker can perform policy enforcement and authorization based on the SAML assertion that is returned.

For a basic configuration:

1. Configure a SAML SSO object on the FortiProxy.

2. Apply the SAML SSO object to an authentication scheme.

3. Apply SAML to the ZTNA server object.

4. Create a user group that uses the SAML SSO object as its remote authentication server.

5. Apply the user group to a ZTNA policy.

For a more advanced configuration, the group attribute returned from the SAML assertion from the IdP can be ignored and instead, the authenticated user can be queried using a different method, such as LDAP, to acquire its user group. The returned user group is then used for authorization on the ZTNA policy.

In this example, the configuration steps are:

1. Configure a SAML SSO object on the FortiProxy.

2. Configure an LDAP server object on the FortiProxy.

3. Apply the SAML SSO object to an authentication scheme, with the user-database configured to the LDAP server object.

4. Apply SAML to the ZTNA server object.

5. Create a user group that uses the LDAP server object as its remote authentication server.

6. Apply the user group to a ZTNA policy.

Example

In this example, an HTTPS access proxy is configured, and SAML authentication is applied to authenticate the client. The FortiProxy acts as the SAML SP and a SAML authenticator serves as the IdP. In addition to verifying the user and device identity with the client certificate, the user is also authorized based on user credentials to establish a trust context before granting access to the protected resource. The user group returned from the SAML assertion is overridden by the group returned from querying the LDAP server directly.

This example assumes that the FortiProxy EMS fabric connector is already successfully connected.

To configure the access proxy VIP:

config firewall vip
    edit "ZTNA_server01"
        set uuid 42123240-7087-51ef-0bc6-27c2c7abb7f8
	 set type access-proxy
        set extip 10.1.1.14
        set extintf "any"
        set server-type https
        set extport 7831
        set ssl-certificate "Fortinet_SSL"
    next
end

To configure access proxy server mappings:

config firewall access-proxy
    edit "ZTNA_server01"
        set vip "ZTNA_server01"
        config api-gateway
            edit 1
                config realservers
                    edit 1
                        set ip 10.120.1.78
                    next
                end
            next
        end
    next
end

To configure a SAML server:

config user saml
    edit "fac_saml"
        set cert "Fortinet_SSL"
        set entity-id "https://10.120.1.210:7831/XX/YY/ZZ/saml/metadata/"
        set single-sign-on-url "https://10.120.1.210:7831/XX/YY/ZZ/saml/login/"
        set single-logout-url "https://10.120.1.210:7831/XX/YY/ZZ/saml/logout/"
        set idp-entity-id "http://10.120.1.206/saml-idp/z1l7z7jw5kt5tidy/metadata/"
        set idp-single-sign-on-url "https://10.120.1.206/saml-idp/z1l7z7jw5kt5tidy/login/"
        set idp-single-logout-url "https://10.120.1.206/saml-idp/z1l7z7jw5kt5tidy/logout/"
        set idp-cert "REMOTE_Cert_1"
	 set user-name "username
	 set group-name "groupname"
	 set digest-method sha1
    next
end

To map the SAML server into an access proxy configuration:

config firewall access-proxy
    edit "ZTNA_server01"
	 set vip "ZTNA_server01"
        config api-gateway
             edit 3
                set service samlsp
                set saml-server "fac_saml"
            next
        end
    next
end

To configure an LDAP server and an LDAP server group to verify user groups:

config user ldap
    edit "ldap"
        set server "10.120.1.120"
        set cnid "cn"
        set dn "dc=qa,dc=domaintest,dc=com"
        set type regular
        set username ""qa\\administrator"
        set password **********
    next
end

config user group
    edit "ldap-group-saml"
        set member "ldap"
	 config match
	   edit 1
		set server-name "ldap"
		set group-name "CN=usergrp1,CN=Users,DC=qa,DC=domaintest,DC=com"
    next
end

To configure the authentication rule and scheme to match the new SAML server:

config authentication rule
    edit "fac_saml_rule"
        set srcintf "any"
        set srcaddr "all"
	 set dstaddr "all"
        set ip-based disable
        set active-auth-method "fac_saml_scheme"
        set web-auth-cookie enable
    next
end

config authentication scheme
    edit "fac_saml_scheme"
        set method saml
        set saml-server "fac_saml"
        set saml-timeout 120
        set user-database "ldap"
    next
end

To enable user group authentication in a policy:

config firewall policy
    edit 5
	set type access-proxy
	set name "ZTNA_remote"
	set uuid 7dd3f902-7088-51ef-1c79-61ffa38b91b2
	set srcintf "any"
	set srcaddr "all"
       set dstaddr "all"
	set action accept
	set schedule "always"
	set access-proxy "ZTNA_server01"
	set logtraffic all
	set log-http-transaction enable
	set extended-log enable
	set groups "ldap-group-saml"
	set ssl-ssh-profile "certificate-inspection"
    next
end

Testing the connection

To test the connection:

It is not necessary to configure a ZTNA Destination on the FortiClient for the HTTPS access proxy use case. In fact, configuring a ZTNA Destination rule for the website may interfere with its operation.

1. On a client PC, try to access the webpage through the HTTPS access proxy. For example, go to http://10.1.1.14:7831 in a browser.

2. The client PC is prompted for a client certificate. After the certificate is validated, you are redirected to a SAML log in portal.

   

3. Enter your user credentials. The SAML server authenticates and sends a SAML assertion response message to the FortiProxy.

4. The FortiProxy queries the LDAP server for the user group, and then verifies the user group against the groups or groups defined in the proxy policy.

5. The user is proxied to the webpage on the real web server.

Logs and debugs

Use the following command to check the user information after the user has been authenticated:

# diagnose wad user list
ID: 13, VDOM: root, IPv4: 10.100.1.32
  user name   : usera@qa.domaintest.com
  worker      : 0
  duration    : 14 seconds
  auth_type   : Session
  auth_method : SAML
  pol_id      : 5
  g_id        : 4
  user_based  : 0
  expire      : N/A (in use)
  LAN:
    bytes_in=404 bytes_out=8369
  WAN:
    bytes_in=0 bytes_out=0

Event log:

date=2024-09-11 time=15:25:15 eventtime=1726093514754345944 tz="-0700" logid="0102043025" type="event" subtype="user" level="notice" vd="root" logdesc="Explicit proxy authentication successful" srcip=10.100.1.32 dstip=10.120.1.210 authid="fac_saml_rule" user="usera@qa.domaintest.com" authproto="HTTP(10.100.1.32)" action="authentication" status="success" reason="Authentication succeeded" msg="User usera@qa.domaintest.com succeeded in authentication

Traffic log:

date=2024-09-11 time=15:28:06 eventtime=1726093685808900790 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.100.1.32 srcport=53762 srcintf="port1" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=10.120.1.78 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=1148927321 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=5 policytype="proxy-policy" poluuid="7dd3f902-7088-51ef-1c79-61ffa38b91b2" policyname="ZTNA_remote" clientip=10.100.1.32 duration=188580 user="usera@qa.domaintest.com" group="ldap-group-saml" gatewayid=1 vip="ZTNA_server01" accessproxy="ZTNA_server01" clientdevicemanageable="manageable" wanin=9606 rcvdbyte=9606 wanout=2065 lanin=3516 sentbyte=3516 lanout=11202 fctuid="F0D60B28FCAB464E81C725270B62BEC0" unauthuser="userb" unauthusersource="forticlient" srcremote=207.102.138.19 appcat="unscanned" utmaction="allow"