Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.3 Administration Guide
    7.4.3
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP

    Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP

    This topic discusses the configuration steps required on FortiAuthenticator to act as the Identity Provider (IdP) and FortiGate to act as Service Provider (SP) during SAML Authentication for IPsec connection, as a part of the overall configuration in SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.

    In the example discussed, the following assumptions and configuration steps are used:

    1. FortiAuthenticator is configured with local user (testuser) inside a User group (IT).

    2. This user belongs to a unique realm (samlrealm).

    3. FortiAuthenticator also requires a server certificate (also called as IdP certificate) for itself signed by a well-known CA or trusted by FortiClient endpoint and FortiGate.

    4. The IdP certificate must be imported into FortiGate after which FortiAuthenticator can use the certificate to sign the SAML messages.

    5. FortiAuthenticator must then be configured as SAML IdP and FortiGate as SAML SP.

    To configure a local user on FortiAuthenticator:

    1. Go to Authentication > User Management > Local Users and select Create New.

    2. Enter the following details shown below and leave other settings as the defaults.

      Username testuser
      Password creation Specify a password
      Password Enter a desired password
      Password confirmation Re-enter the password

    3. Click Save.

    For more advanced and custom configuration options, see Local users.

    To configure a user group on FortiAuthenticator:

    1. Go to Authentication > User Management > User Groups and select Create New.

    2. To create a user group with a local user:

      1. In the Name field, enter the group name as IT.

      2. Set the Type as Local.

      3. Under Users, from the Available Users table, select testuser and move it to the Chosen Users table.

    3. Click Save.

    For more advanced options, see User Groups.

    To configure a user realm on FortiAuthenticator:

    1. Go to Authentication > User Management > Realms and select Create New.

    2. Name the realm as samlrealm.

    3. In User source, from the dropdown, select Local Users.

    4. Click Save.

    For more advanced options, see Realms.

    To import a server certificate on FortiAuthenticator:

    1. Go to Certificate Management > End Entities > Local Services and select Import.

    2. Depending on which file format your certificate is in, select the suitable Type.

    3. Select Upload a file to locate the certificate file on your computer.

    4. Click Import.

    See End entities for more information on certificates on FortiAuthenticator.

    To configure general SAML IdP settings on FortiAuthenticator for SAML:

    1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

    2. Configure the following settings:

      Device FQDN

      <FortiAuthenticator FQDN>

      To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
      Server address

      <FortiAuthenticator FQDN>

      Enter the IP address or FQDN of the FortiAuthenticator device. This address must be accessible by the FortiClient endpoint.
      Username input format username@realm
      Use default realm when user-provided realm is different from all configured realms Disabled
      Realms

      Realm: samlrealm

      (Optional) Groups > Filter: IT

      Use Groups and Filter to add specific user groups. These user groups may be local users configured on the FortiAuthenticator itself or remote users populated from different remote authentication servers. See User Groups and Remote users for more information.
      Legacy login sequence Disabled
      Default IdP certificate

      <IdP certificate>

      This certificate is used by IdP to sign SAML messages before sending it to IdP. To import this certificate on FortiAuthenticator see Importing a server certificate. This certificate also needs to be imported on the SP (FortiGate) to be used in the SAML configuration. See Remote certificate.

    3. Select Save to apply any changes that you have made.

    To configure service provider SAML settings on FortiAuthenticator for SAML:

    1. Go to SAML IdP > Service Providers.

    2. Click Create New.

    3. Enter the following:

      SP name

      FortiGate

      Use any suitable SP name.
      Server certificate

      <IdP certificate>

      This certificate is used by IdP to sign SAML messages before sending it to IdP. To import this certificate on FortiAuthenticator, see Importing a server certificate. This certificate also needs to be imported on the SP (FortiGate) to be used in the SAML configuration. See Remote certificate.
      IdP Metadata
      Select an identifier to display IdP info

      Click + to create a new IdP prefix. In the IdP identifier field, enter the prefix as fac and click OK.

      Fields such as IdP entity id, IdP single sign-on URL, and IdP single logout URL will populate automatically with this prefix information. These URLs must be accessible by FortiClient endpoints. Copy and paste this URL information in a separate notepad file as it will be used to configure IdP information on SP (FortiGate) later.
      Authentication
      Authentication Method Password-only
      Assertion Attributes

      Click + to expand it.

      Configure two SAML assertion attributes (username and group) as follows:

      Assertion attribute

      SAML attribute

      username

      User attribute

      FortiAuthenticator > Username

      Assertion attribute

      SAML attribute

      group

      		User attribute FortiAuthenticator > Group

    4. Click Save.

    To export SAML IdP server certificate and import it on FortiGate:

    1. On FortiAuthenticator, go to Certificate Management > End Entities > Local Services.

    2. Select the certificate, <IdP certificate>, by selecting the left checkbox for the certificate entry in the table and clicking Export Certificate.

    3. Go to the file location on your local computer and click Save.

    4. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.

    5. Select Upload to locate and upload the .cer remote certificate from your computer.

    6. Click OK.

      The new certificate is now visible in the System > Certificates page under Remote Certificate.

    To configure SAML server on FortiGate:

    1. Go to User & Authentication > Single Sign-On.

    2. Click Create New.

    3. Enter the Name as saml-fac.

    4. In the Address field, enter the FQDN/IP information in the following format:

      <ipsec-vpn-gateway-fqdn/ip-address>:<saml-ike-authentication-port>

      The Address field is used by FortiClient to initiate IPsec connection to FortiGate.

    5. On the FortiGate, from Service Provider Configuration, copy the following URLs (Entity ID, Assertion consumer service URL, Single logout service URL). In FortiAuthenticator, enter it in Authentication > SAML IdP > Service Providers > FortiGate, inside the SP Metadata fields according to following mapping:

      FortiGate settings

      FortiAuthenticator settings
      Entity ID SP entity ID
      Assertion consumer service URL SP ACS (login) URL
      Single logout service URL SP SLS (logout) URL

      The following demonstrates on the FortiGate:

      The following demonstrates on FortiAuthenticator:

    6. Click Save on FortiAuthenticator to save the SP URLs.

    7. Return to FortiGate GUI, and click Next.

      Set the Type as Custom.The Entity ID, Assertion consumer service URL, and Single logout service URL fields required are available from FortiAuthenticator.

    8. To copy the following URLs (IdP entity id, IdP single sign-on URL, IdP single logout URL) from FortiAuthenticator, go to Authentication > SAML IdP > Service Providers > FortiGate under IdP Metadata. Copy the URLs from FortiAuthenticator and paste it on FortiGate according to the following mapping:

      FortiAuthenticator settings

      FortiGate settings
      IdP entity ID Entity ID
      IdP single sign-onURL Assertion consumer service URL
      IdP single logout URL Single logout service URL

      The following demonstrates on FortiAuthenticator:

      The following demonstrates on the FortiGate:

    9. In the Certificate dropdown, select the IdP certificate that was imported on FortiGate.

    10. Enter the following details in Additional SAML Attributes.

      Attribute used to identify users username
      Attribute used to identify groups group

    11. Click Submit to save the changes.

    To create SAML user group on FortiGate:

    1. Go to User & Authentication > User Groups .

    2. Click Create New.

    3. Enter Name as SAML-FAC-Group.

    4. In Remote Groups, click Add.

    5. From the Remote Server dropdown, select saml-fac SAML server.

    6. In the Groups field, click Specify and enter IT.

    7. Click OK.

    8. Click OK.

    To associate SAML server with IPsec gateway interface:

    Use FortiGate CLI to bind and associate the SAML server with the VPN gateway interface (port1) as follows:

    config system interface
    edit "port1"
        set ike-saml-server "saml-fac"
    next
end

    Configuring SAML on IdP and SP is now complete. The next step is to use SAML configuration inside IPsec configuration. To configure IPsec, see Configuring IPsec IKEv2 on FortiGate.

    Previous
    Next

    Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP

    Configuring FortiAuthenticator as SAML IdP and FortiGate as SAML SP

    This topic discusses the configuration steps required on FortiAuthenticator to act as the Identity Provider (IdP) and FortiGate to act as Service Provider (SP) during SAML Authentication for IPsec connection, as a part of the overall configuration in SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.

    In the example discussed, the following assumptions and configuration steps are used:

    1. FortiAuthenticator is configured with local user (testuser) inside a User group (IT).

    2. This user belongs to a unique realm (samlrealm).

    3. FortiAuthenticator also requires a server certificate (also called as IdP certificate) for itself signed by a well-known CA or trusted by FortiClient endpoint and FortiGate.

    4. The IdP certificate must be imported into FortiGate after which FortiAuthenticator can use the certificate to sign the SAML messages.

    5. FortiAuthenticator must then be configured as SAML IdP and FortiGate as SAML SP.

    To configure a local user on FortiAuthenticator:

    1. Go to Authentication > User Management > Local Users and select Create New.

    2. Enter the following details shown below and leave other settings as the defaults.

      Username testuser
      Password creation Specify a password
      Password Enter a desired password
      Password confirmation Re-enter the password

    3. Click Save.

    For more advanced and custom configuration options, see Local users.

    To configure a user group on FortiAuthenticator:

    1. Go to Authentication > User Management > User Groups and select Create New.

    2. To create a user group with a local user:

      1. In the Name field, enter the group name as IT.

      2. Set the Type as Local.

      3. Under Users, from the Available Users table, select testuser and move it to the Chosen Users table.

    3. Click Save.

    For more advanced options, see User Groups.

    To configure a user realm on FortiAuthenticator:

    1. Go to Authentication > User Management > Realms and select Create New.

    2. Name the realm as samlrealm.

    3. In User source, from the dropdown, select Local Users.

    4. Click Save.

    For more advanced options, see Realms.

    To import a server certificate on FortiAuthenticator:

    1. Go to Certificate Management > End Entities > Local Services and select Import.

    2. Depending on which file format your certificate is in, select the suitable Type.

    3. Select Upload a file to locate the certificate file on your computer.

    4. Click Import.

    See End entities for more information on certificates on FortiAuthenticator.

    To configure general SAML IdP settings on FortiAuthenticator for SAML:

    1. Go to Authentication > SAML IdP > General, and select Enable SAML Identity Provider portal.

    2. Configure the following settings:

      Device FQDN

      <FortiAuthenticator FQDN>

      To configure this setting, you must enter a Device FQDN in the System Information widget in the Dashboard.
      Server address

      <FortiAuthenticator FQDN>

      Enter the IP address or FQDN of the FortiAuthenticator device. This address must be accessible by the FortiClient endpoint.
      Username input format username@realm
      Use default realm when user-provided realm is different from all configured realms Disabled
      Realms

      Realm: samlrealm

      (Optional) Groups > Filter: IT

      Use Groups and Filter to add specific user groups. These user groups may be local users configured on the FortiAuthenticator itself or remote users populated from different remote authentication servers. See User Groups and Remote users for more information.
      Legacy login sequence Disabled
      Default IdP certificate

      <IdP certificate>

      This certificate is used by IdP to sign SAML messages before sending it to IdP. To import this certificate on FortiAuthenticator see Importing a server certificate. This certificate also needs to be imported on the SP (FortiGate) to be used in the SAML configuration. See Remote certificate.

    3. Select Save to apply any changes that you have made.

    To configure service provider SAML settings on FortiAuthenticator for SAML:

    1. Go to SAML IdP > Service Providers.

    2. Click Create New.

    3. Enter the following:

      SP name

      FortiGate

      Use any suitable SP name.
      Server certificate

      <IdP certificate>

      This certificate is used by IdP to sign SAML messages before sending it to IdP. To import this certificate on FortiAuthenticator, see Importing a server certificate. This certificate also needs to be imported on the SP (FortiGate) to be used in the SAML configuration. See Remote certificate.
      IdP Metadata
      Select an identifier to display IdP info

      Click + to create a new IdP prefix. In the IdP identifier field, enter the prefix as fac and click OK.

      Fields such as IdP entity id, IdP single sign-on URL, and IdP single logout URL will populate automatically with this prefix information. These URLs must be accessible by FortiClient endpoints. Copy and paste this URL information in a separate notepad file as it will be used to configure IdP information on SP (FortiGate) later.
      Authentication
      Authentication Method Password-only
      Assertion Attributes

      Click + to expand it.

      Configure two SAML assertion attributes (username and group) as follows:

      Assertion attribute

      SAML attribute

      username

      User attribute

      FortiAuthenticator > Username

      Assertion attribute

      SAML attribute

      group

      		User attribute FortiAuthenticator > Group

    4. Click Save.

    To export SAML IdP server certificate and import it on FortiGate:

    1. On FortiAuthenticator, go to Certificate Management > End Entities > Local Services.

    2. Select the certificate, <IdP certificate>, by selecting the left checkbox for the certificate entry in the table and clicking Export Certificate.

    3. Go to the file location on your local computer and click Save.

    4. On FortiGate, go to System > Certificates, and from the Create/Import dropdown, select Remote Certificate.

    5. Select Upload to locate and upload the .cer remote certificate from your computer.

    6. Click OK.

      The new certificate is now visible in the System > Certificates page under Remote Certificate.

    To configure SAML server on FortiGate:

    1. Go to User & Authentication > Single Sign-On.

    2. Click Create New.

    3. Enter the Name as saml-fac.

    4. In the Address field, enter the FQDN/IP information in the following format:

      <ipsec-vpn-gateway-fqdn/ip-address>:<saml-ike-authentication-port>

      The Address field is used by FortiClient to initiate IPsec connection to FortiGate.

    5. On the FortiGate, from Service Provider Configuration, copy the following URLs (Entity ID, Assertion consumer service URL, Single logout service URL). In FortiAuthenticator, enter it in Authentication > SAML IdP > Service Providers > FortiGate, inside the SP Metadata fields according to following mapping:

      FortiGate settings

      FortiAuthenticator settings
      Entity ID SP entity ID
      Assertion consumer service URL SP ACS (login) URL
      Single logout service URL SP SLS (logout) URL

      The following demonstrates on the FortiGate:

      The following demonstrates on FortiAuthenticator:

    6. Click Save on FortiAuthenticator to save the SP URLs.

    7. Return to FortiGate GUI, and click Next.

      Set the Type as Custom.The Entity ID, Assertion consumer service URL, and Single logout service URL fields required are available from FortiAuthenticator.

    8. To copy the following URLs (IdP entity id, IdP single sign-on URL, IdP single logout URL) from FortiAuthenticator, go to Authentication > SAML IdP > Service Providers > FortiGate under IdP Metadata. Copy the URLs from FortiAuthenticator and paste it on FortiGate according to the following mapping:

      FortiAuthenticator settings

      FortiGate settings
      IdP entity ID Entity ID
      IdP single sign-onURL Assertion consumer service URL
      IdP single logout URL Single logout service URL

      The following demonstrates on FortiAuthenticator:

      The following demonstrates on the FortiGate:

    9. In the Certificate dropdown, select the IdP certificate that was imported on FortiGate.

    10. Enter the following details in Additional SAML Attributes.

      Attribute used to identify users username
      Attribute used to identify groups group

    11. Click Submit to save the changes.

    To create SAML user group on FortiGate:

    1. Go to User & Authentication > User Groups .

    2. Click Create New.

    3. Enter Name as SAML-FAC-Group.

    4. In Remote Groups, click Add.

    5. From the Remote Server dropdown, select saml-fac SAML server.

    6. In the Groups field, click Specify and enter IT.

    7. Click OK.

    8. Click OK.

    To associate SAML server with IPsec gateway interface:

    Use FortiGate CLI to bind and associate the SAML server with the VPN gateway interface (port1) as follows:

    config system interface
    edit "port1"
        set ike-saml-server "saml-fac"
    next
end

    Configuring SAML on IdP and SP is now complete. The next step is to use SAML configuration inside IPsec configuration. To configure IPsec, see Configuring IPsec IKEv2 on FortiGate.

    Previous
    Next