FortiGate SSL-VPN SAML Integration

This document explains how to implement Monosign with FortiGate SSLVPN. It covers Single Sign-On. Before you continue, it is better to start with FortiGate’s Single Sign-On this page.

This configuration done with FortiOS 7.4.4. If your FortiGate firewall version is different please check Fortinet documentation.

Monofor has no responsibility to do FortiGate configurations. If you need support please contact Fortinet Support Services.

📑 Instructions

This documentation contains 4 main steps for integration.

Creating an Application on Monosign
Configuration Single Sign-On for FortiGate
Assign a user to the FortiGate application
Sign In Test

1- Creating an Application on Monosign

Create application on Monosign and configure your access policy. Once you create, click “Keys” and add a new Access Key for SAML Key for access.

This information will be necessary during the configuration of the application.

Property	Value	Options
Key Type	SAML	Rest API, OAuth 2.0, JWT, OIDC/OpenID, SAML, RADIUS, Access Gateway, LDAP, AuthN/Z Server
Expiration	Lifetime	Lifetime or Specific Date/Time - By Default Lifetime is Enabled.

Configuration details for the FortiGate application are provided as follows:

Change UserName Format, ACS(Assertion Consumer Url), Entity Id, Name Id, Logout URL and Extra Attributes.

Property	Value
UserName Format	`Monosign UserName`
Assertion Consumer Url	`https://<SSLVPN_IP_FQDN:PORT>/remote/saml/login/`
Entity Id	`http://<SSLVPN_IP_FQDN:PORT>/remote/saml/metadata/`
Name Id	`UserName`
Logout URL	`https://<SSLVPN_IP_FQDN:PORT>/remote/saml/logout/`
Extra Attribute	`Attribute : UserName` `Value : {{UserName}}`
Signing Algorithm	`System Default (SHA 256)`
Enable Group Mapping	`YES`
Group Mapping Attribute	`Groups`

To ensure that the application has access to user groups, follow these steps:

If the application hasn't been configured yet, click the “Edit” option for the application.
In the application settings, navigate to the “Source, Provider, and Profile” tab.
Configure the “User Access Type“ and “User Group Access Type” as “Only Assigned Users.”

Configuring this setting will allow the application to access by user groups when users sign in.

Property	Description	Options
User Access Type	Defines which Users will access to this application.	Only Assigned Users All Users
User Group Access Type	Defines application’s user group access	Only Assigned Users Assigned Users and Defined Sources All Users
Profile Access Type	Defines Application’s user’s profile access	Restricted - Only restricted user profile attributes All - All user profile attributes

2- Configuration Single Sign-On for FortiGate

As it highlighted at the beginning of document, please check out the FortiGate’s SSO configuration page first.

Monofor is suggest to configure SAML on FortiGate with different ssl-vpn realm. This way, necessary tests can be conducted without affecting the active VPN configurations, and subsequently, the active VPN configuration can be modified.

FortiGate configuration contains below steps:

Create SSLVPN Realm
Upload Monosign IdP Certificate
Create SSO Server
Create Group
Configure SSL-VPN Settings
Configure Firewall Policy

a. Create SSLVPN Realm

From GUI

First you need to enable SSL-VPN Realms on FortiGate Firewall

Go to System → Feature Visibility and enable SSL-VPN Realms

Now go to VPN → SSL-VPN Realms and Create New

Type url path whatever you want. In this example monofor is used for url path

As shown in the picture new url path is accessible with your firewall SSL-VPN interface IP

https://<SSLVPN_IP_FQDN:PORT>/monofor

If you want to use a virtual host, the changes can be made as follows:

Login your firewall CLI with admin rights then run below commands

NONE

config vpn ssl web realm
  edit monofor
    set virtual-host saml.monofor.com
  next
end

From CLI

SSL-VPN realm can be configured via CLI.

Login your firewall CLI with admin rights then run below commands

Without virtual-host

CODE

config vpn ssl web realm
  edit monofor
  next
end

With virtual-host(optional)

CODE

config vpn ssl web realm
  edit monofor
    set virtual-host saml.monofor.com
  next
end

Please make sure create a DNS record if virtual-host configured. In this guide saml.monofor.com is used for virtual-host. saml.monofor.com DNS records must be created in your public DNS provider to point FortiGate SSL-VPN interface.

b. Upload Monosign IdP Certificate

Download Monosign IdP certificate from Monosign application keys.

Go to System → Certificates → Create/Import → Remote Certificate than import Monosign IdP Certificate

Click upload and choose certificate which is already downloaded in you pc then click OK.

Please verify Monosign IdP certificate uploaded correctly and listed in FortiGate Certificates. Uploaded certificate name is automatically generated by FortiGate. Name format is REMOTE_Cert_x

If you want to change certificate name use below cli command

CODE

config vpn certificate remote
  rename REMOTE_Cert_1 to Monosign-SAML-Cert
  next
end

Now it can be verified Monosign IdP certificate renamed and uploaded correctly under System → Certificates.

Subject : C = US, O = MonoFor, CN = MonoSign

Issuer : MonoFor, Inc

c. Create SSO Server

GUI

Go to User & Authentication → Single Sign-On then Create new

Provide below information

Property	Value
Name	`Monofor`
Address	`192.168.1.1:443`

If virtual-host configured in the SSL-VPN Realms please type virtual-host in Address Field with port information

Example:

Property	Value
Address	`saml.monofor.com:10443`

Click Next

Provide below information. Entity ID, Assertion consumer service URL and Single logout service URL can be get from FortiGate Application Keys on Monosign. This is explained in this step.

Property	Value
Type	`Custom`
Entity ID	`https://account.monofor.com/saml/3bf53a3c-2b89-4aad-924b-4eb2cfbbe4db`
Assertion consumer service URL	`https://account.monofor.com/saml/3bf53a3c-2b89-4aad-924b-4eb2cfbbe4db/login`
Single logout service URL	`https://account.monofor.com/saml/3bf53a3c-2b89-4aad-924b-4eb2cfbbe4db/logout`
Certificate	`REMOTE_Cert_1` or renamed Certificate Example: `Monosign-SAML-Cert`
Attribute used to identify users	`UserName`
Attribute used to identify groups	`Groups`

Click Submit to save Single Sign-On.

After configuration verified connect FortiGate Firewall CLI to change digest-method. When SSO configured via GUI FortiGate Firewall set digest-method to SHA1. It needs to be changed to SHA256.

CODE

config user saml
  edit Monofor
    set digest-method sha256
  next
end

CLI

Single Sign-On configuration can be done via CLI commands.

CODE

config user saml
  edit Monofor
    set entity-id http://saml.monofor.com/remote/saml/metadata/
    set single-sign-on-url https://saml.monofor.com/remote/saml/login/
    set single-logout-url https://saml.monofor.com/remote/saml/logout/
    set idp-entity-id https://account.monofor.com/saml/3daf7315-917c-4c03-a1d4-1db97ca889fd
    set idp-single-sign-on-url https://account.monofor.com/saml/3daf7315-917c-4c03-a1d4-1db97ca889fd/Login
    set idp-single-logout-url https://account.monofor.com/saml/3daf7315-917c-4c03-a1d4-1db97ca889fd/Logout
    set idp-cert Monosign-SAML-Cert
    set user-name UserName
    set group-name Groups
    set digest-method sha256
  next
end

d. Create Group

Go to User & Authentication → User Groups then Create New

Give name of the group and Click Add in Remote Groups

Choose Remote Server which is already added in the Single Sign-On. Choose groups type Specify and type name of the user group in Monosign.

e. Configure SSL-VPN

Go to VPN → SSL-VPN Settings then click Create new under the Authentication/Portal Mapping

Provide User/Groups, Realm and Portal information

Property	Value
User/Groups	Choose group which is created previous step
Realm	Choose Specify and select created realm in previous step
Portal	Choose portal access type

Now you will able to see newly added Authentication/Portal Mapping configuration then click Apply

f. Configure Firewall Policy

Go to Policy & Objects → Firewall Policy

Select existing SSL-VPN policy or create new one(optional) and add new group to the source in the policy which is created here.

Now, go back to Monosign and give access to your users and try login.

3- Assign a user to the FortiGate SSL-VPN application

Please follow below instructions on how to assign a user to the FortiGate application. In this example john.smith will assign to the application access.

4- Sign In Test

Now try login.

a. Browser

Open new browser or tab type SSL-VPN portal address

It can be login with Passwordless login(Monofor Identity), Passkey or Username and Password(Login with Password)

After click Sign in user will able to login FortiGate SSL-VPN Portal

b. FortiGate Client

Open FortiGate VPN Client click 3-line

Provide below information in the FortiGate VPN Client than click Save.

Property	Value
Connection Name	Name of the Connection
Remote Gateway	Virtual-host or SSL-VPN address with realm Portal Address : 192.168.1.1:443/monofor OR Virtual-Host : `saml.monofor.com`
Customize Port(Optional)	If configured different port then 443
Enable Single Sign On (SSO) for VPN Tunnel	Required
Use external browser as user-agent for saml user authentication(Optional)	This is optional.

Now it can be try by clicking SAML Login on FortiGate VPN Client.

It will open in-place browse to login on Monosign

It can be login with Passwordless login(Monofor Identity), Passkey or Username and Password(Login with Password)

Click sign in and FortiGate VPN client will connect your device to SSL-VPN