FortiGate SSLVPN SAML Integration
To be able use SAML as an authentication method you need to have Authentication Realms enabled FortiOS@6.4 or above.
This document explains how to implement MonoSign with FortiGate. It covers Single Sign-On. Before you continue, it is better to start with FortiGate’s Single Sign-On implementation page.
View FortiGate SSO Metadata
In order to configure the SAML key on MonoSign for FortiGate SSO, you need to have various information provided by FortiGate. First, navigate to User & Authentication > Single Sign-On and click Create new.
You will see Service Provider Configuration like in the image below.
For now, we will stop here on the FortiGate side and create a MonoSign application and related SAML key by using the information provided by FortiGate.
Creating an Application and Access Key on MonoSign
Create your application on MonoSign and configure your access policy. Once you create, click Keys and Add New Key to create a SAML access key.
In the opened modal, choose SAML as Key Type and switch to SAML2 Settings. Fill in the necessary fields according to the information provided by FortiGate. Correspondings of the fields are as below.
Field | Value |
|---|---|
Assertion Consumer Url | FortiGate SSO ACS URL from Service provider configuration |
Entity Id | FortiGate SSO Issuer URL from Service provider configuration |
Click Save and you are gonna see your configuration for your access key as follows.
Configuration Single Sign-On for FortiGate
We are gonna move on to where we left off on the FortiGate Identity Source Change page which is mentioned in the first chapter. Fill in the Name field and click Next. Choose the Type field as Custom and fill in the necessary fields according to the access key created on MonoSign. Correspondings of the fields are as below.
Field | Value |
|---|---|
Entity ID | Entity Id from the application SAML key |
Assertion consumer service URL | Sign On Service from the application SAML key |
Single logout service URL | Logout Service from the application SAML key |
Certificate | The certificate issued to access key - can be downloadable from the key detail. |
Attribute used to identify users | UserName |
Attribute used to identify groups | Groups |
By clicking Submit you will create a SAML configuration.
Next, create a new User Group and assign created SAML configuration to it. To do so, first, make sure you have a related group on MonoSign. if do not, create one and assign the desired users to it. second, navigate to User & Authentication > User Groups and click Create New. The form should look as follows.
Next, create a new SSL-VPN Realm. Navigate to VPN > SSL-VPN Realms and click Create New. Type the Name and click OK. Open CLI Console located at the top right and execute the following commands to set Virtual Host.
config vpn ssl web realm
edit {realm-name}
set virtual-host {virtual-host-name}
endIf you check realms, you will see that Virtual Host is exposed on UI as follows so you can change it any time on the edit page.
Next, add new Authentication/Portal Mapping to SSL-VPN Settings. Navigate to VPN > SSL-VPN Settings and scroll down. Authentication/portal mappings are located at the bottom of the page. Add new mapping by choosing created User Group and Realm and click OK.
Next, create a new or edit the existing Firewall Policy. Navigate to Policy & Objects > Firewall Policy and choose one or click Create New. Add Created User Group to Source as follows.
SSL VPN SAML Connection
To be able to connect to VPN via SAML you need FortiClient@6.4 or above for Windows and FortiClient@6.4.4 or above for MacOS
In order to establish a VPN connection using SAML, the SSO option should be enabled for a VPN connection. Create a new or edit the existing connection and fill the necessary fields according to configurations made in chapter three. Correspondings of the fields are as below.
Field | Value |
|---|---|
Remote Gateway | Virtual host of created SSL-VPN Realm |
Port | Port number specified in SSL-VPN Settings |
Enable Single Sign On | Enabled |
Use External Browser | Enabled |
For the connection, Connect button will be replaced with SAML Login as follows.
By clicking the SAML Login button you will be redirected to the MonoSign login page and asked to log in. After successful login, information stating that a VPN connection is established will be displayed and you can close windows and check FortiClient.