EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FortiGate přihlášení do SSL VPN pomocí SAML SSO vůči Azure AD

FortiGate SSL VPN login using SAML SSO against Azure AD

Edited 04.06.2022 17:15 | created | Petr Bouška - Samuraj |
FortiGate supports the SAML protocol, which can be used to authenticate users to a remote server (similar to how we use LDAP or RADIUS). We can use such authenticated users in different places. Here we will focus on SSL VPN and use Microsoft Azure AD as Identity Provider (identity source - external authentication server). These can be On-Premises AD DS domain users that we sync to Azure AD Tenant (or pure cloud accounts). Authentication against Azure AD allows us to leverage cloud security. For example, Multi-Factor Authentication (MFA) and Conditional Access in general.
displayed: 9 810x (9 709 CZ, 101 EN) | Comments [9]

Note: The description in the article is based on FortiGate FG-300E with FortiOS version 6.4.6. It is configured as an FGCP cluster and uses VDOM. Supplemented with a few new features from FortiOS 7.0.5.

The configuration consists of setting up Azure AD, which means creating an Enterprise Application. And in FortiGate settings, where we create a SAML server, define groups and create or modify the SSL VPN configuration. Here we'll assume that we have SSL VPN set up (we discussed this in detail in previous articles) and we'll be creating a new SSL VPN Realm. So we'll keep the VPN with the original authentication and add a new connection where SAML SSO against Azure AD will be performed.

I first tried this setup on FortiOS 6.2.9, but it didn't work at all. The SAML debug was empty for all attempts. When I upgraded to FortiOS 6.4.6, everything started working right away. Useful new features were introduced with a further upgrade to FortiOS 7.0.5.

Some mentions state that full SAML support is in FortiClient from version 6.4.0. I primarily tested with FortiClient VPN 7.0.0.

Documentation

A number of things were described in the previous article.

Microsoft has a nice article, but it doesn't address all the details for FortiGate.

If we didn't want to use SAML, there's also the option of a plugin for the RADIUS server (Microsoft NPS).

Fortinet official documentation.

Some guides from the internet.

Configuration videos on YouTube

Azure AD Configuration

The configuration is quite well described in the Microsoft article Tutorial: Azure Active Directory single sign-on (SSO) integration with FortiGate SSL VPN. Moreover, this part is very similar to the description in the previous article FortiGate Admin HTTPS login using SAML SSO against Azure AD.

Creating an Enterprise application from the gallery

  • Azure Active Directory admin center - Enterprise applications
  • New application - we create a new application
  • in the gallery, we search for the application FortiGate SSL VPN and click on it
  • we enter a name (we can leave the original) and click on Create
Azure AD - vytvoření gallery Enterprise application

Assigning users

  • under Manage we click on Users and groups
  • we add Azure AD users or groups who will be able to log into this application (and thus into SSL VPN)

On FortiGate, we can include all users in one group and treat them the same. Or use groups in Azure AD, pass this information to FortiGate and create corresponding groups based on it.

When using groups, we need to know their Object Id. After adding a group, we click on it and copy the ID.

Azure AD - Enterprise application - přiřazení skupin uživatelů

Setting up SAML SSO

  • under Manage we click on Single sign-on
  • as the SSO method we select SAML

We set up individual parts of the configuration by clicking on Edit.

1 Basic SAML Configuration

We create a new FQDN which we'll use for the SSL VPN Realm as a Virtual Host. We direct this DNS record to the public IP address where FortiGate listens for SSL VPN. In the examples, we'll use vpn-sso.company.com. We'll use this hostname in the paths below. Where possible, Default must be checked.

  • Identifier (Entity ID): https://vpn-sso.company.com/remote/saml/metadata
  • Reply URL (Assertion Consumer Service URL): https://vpn-sso.company.com/remote/saml/login
  • Sign on URL: https://vpn-sso.company.com/remote/saml/login
  • Logout Url: https://vpn-sso.company.com/remote/saml/logout

2 User Attributes & Claims

  • we add a new Add new claim, name username and for the value Source attribute we select user.userprincipalname
  • we edit the existing claim with the value user.groups and enter the name group

3 SAML Signing Certificate

  • we download and save the certificate Certificate (Base64)

4 Set up FortiGate SSL VPN (the application name is used here)

  • we'll need the values from here for setting up on FortiGate
  • these are Azure AD SAML addresses
Azure AD - Enterprise application - nastavení SAML SSO

FortiGate Configuration

Uploading the certificate

  • (Global/VDOM) > System > Certificates - Import - Remote Certificate

We upload the certificate that we downloaded from Azure AD. It gets an automatic name, which we can optionally change in the CLI.

FW (global) # config certificate remote 
FW (remote) # rename REMOTE_Cert_1 to Azure_SSO_VPN

Creating a SAML server record for the Azure AD application

We're setting up the connection to Azure AD. It's the same as configuring an LDAP or RADIUS server (but we must do it in CLI, in FortiOS 7.0 it can also be done in GUI). We need various details from the previous steps, which we'll use in individual parameters. The values must exactly match the data in Azure AD. We name the record in some way (here Azure.AD) and we'll use the name when creating groups.

config user saml
    edit "Azure.AD"
        set entity-id "https://vpn-sso.company.com/remote/saml/metadata"
        set single-sign-on-url "https://vpn-sso.company.com/remote/saml/login"
        set single-logout-url "https://vpn-sso.company.com/remote/saml/logout"
        set idp-entity-id "https://sts.windows.net/bb9528c8-3d14-4888-91fd-baeeb2XXXXXX/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/bb9528c8-3d14-4888-91fd-baeeb2XXXXXX/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/bb9528c8-3d14-4888-91fd-baeeb2XXXXXX/saml2"
        set idp-cert "Azure_SSO_VPN"
        set user-name "username"
        set group-name "group"
    next
end

Set values

  • the first three values are FortiGate addresses (we entered them in the Azure AD application under Single sign-on step 1)
  • the next three values Identity Provider (IdP) we copy from the Azure AD application Single sign-on step 4
  • followed by the name of the certificate that we uploaded to FortiGate (Single sign-on step 3)
  • the last two values correspond to the claim naming from the Azure AD application Single sign-on step 2

Optionally, we can also set a certificate that FortiGate will use when connecting to Azure AD.

        set cert "Fortinet_Factory"

Creating user groups mapped to groups from Azure AD

We must create groups in CLI. After creation, the group is displayed in GUI, but it doesn't show members.

We enter the corresponding group name and set the defined SAML server, which we created in the previous step, as members. If one group is enough for us, that's all. All users who authenticate within the Azure AD application will be members of this group.

When we want to create multiple groups corresponding to groups in Azure AD, we define a rule where we enter the Object Id of the group in Azure AD as the Group Name.

config user group
    edit "G VPN VIP Azure"
        set member "Azure.AD"
        config match
            edit 1
                set server-name "Azure.AD"
                set group-name "46a6ad2e-b977-4428-baa2-ff19e6fXXXXX"
            next
        end
    next
end

Note: If we want to add the option to log in (or switch to it) via Azure AD to an existing SSL VPN, it's easiest to add SAML users (and possibly the appropriate filter) to an existing group. We don't have to modify the SSL VPN settings and policies and everything works right away. The disadvantage is that we can't tell where users authenticated (if we have LDAP and SAML in the group, for example, we'll only see the group name). If we create a new group for the new authentication method, we can distinguish the authentication method by its name.

Creating a new SSL VPN Realm

We can use only the default (root) VPN Realm, then we don't need to worry. Here we'll create a special VPN Realm (URL address) for logging in using Azure AD.

  • (VDOM) > VPN > SSL-VPN Realms

We can create our own VPN Realm in the GUI (we must have this feature displayed - Feature Visibility). We enter its name (here sso) and we can modify the login screen for the web (for example, change the name for easier identification). Then we must go to the CLI and set the Hostname (Virtual Host).

config vpn ssl web realm
    edit "sso"
        set virtual-host "vpn-sso.company.com"
    next
end

SSL VPN Settings - Assigning Realm and Groups

  • (VDOM) > VPN > SSL-VPN Settings

In Authentication/Portal Mapping, we create a new assignment of the group that contains users from Azure AD, the VPN Realm we created in the previous step, and the prepared VPN Portal (which determines specific properties of the VPN connection).

Modifying Firewall Policy - Policies for VPN Client Communication

  • (VDOM) > Policy & Objects > Firewall Policy

To the existing policy for VPN client communication, we add the user group that contains users from Azure AD. Alternatively, we create a new policy. The policy must have the incoming interface set to SSL-VPN Tunnel Interface and we specify user groups and address ranges as the source. Until a user (group) is part of the appropriate policy, they cannot log in to the VPN.

Setting Login Timeout

When we use SAML Login in FortiClient, a login dialog from the external system (Azure AD) opens. By default, there's a 10-second timeout set. Many people can't enter their login credentials in that time, so it's necessary to increase this value.

config system global
   set remoteauthtimeout 60
end

Debug SSL VPN and SAML

To troubleshoot issues, it's best to enable debug mode for a specific area in the CLI. The basic one is debugging the SAML protocol itself.

diagnose debug application samld -1

We can add SSL VPN debugging to that.

diagnose debug application sslvpn -1

Optionally, we can also debug Remote user authentication (fnbamd is Fortinet non-blocking authentication daemon). This displays messages from all remote authentication methods (there are usually many).

diagnose debug application fnbamd -1 

We can enable time display for individual records and turn on debug overall.

diagnose debug console timestamp enable
diagnose debug enable

To turn off debug mode, we can use:

diagnose debug disable
diagnose debug reset

Logging into SSL VPN using SAML SSO

Web Interface

If we have only the SAML authentication method defined on the given SSL VPN Realm (assigned groups mapped to SAML), then after opening the page, it automatically redirects to SAML login. If we have groups from different authentication methods, a login dialog is displayed with an added Single Sign-On button.

FortiGate SAML SSO přihlašovací dialog do web VPN

FortiClient VPN

We create the connection in FortiClient by entering the address we defined for the VPN Realm (Remote Gateway), and check Enable Single Sign On (SSO) for VPN Tunnel.

FortiClient nastavení SAML SSO připojení

When connecting, no username and password are entered, but there's a SAML Login button that initiates remote authentication with Microsoft.

FortiClient SAML login připojení

It's important to note that for authentication, it doesn't open a browser installed in the OS, but an integrated browser in FortiClient. This identifies itself to Azure AD as Chrome 69.0.3497 (the same for Windows, Linux, and macOS).

FortiClient - SAML Microsoft přihlašování FortiClient - SAML Microsoft MFA schválení přihlášení

Using Multi-Factor Authentication (MFA) with Conditional Access

One of the reasons for setting up VPN user authentication against Azure AD might be an effort to increase login security. Today, multi-factor authentication is increasingly required. We can solve this directly on FortiGate, as described in FortiGate two-factor authentication using OTP. But Azure AD offers more options.

We can have MFA (Multi-Factor Authentication) in Azure AD turned on for everything or control it using Conditional Access policies and enable it only for specific applications. General information can be found in the article Azure AD passwordless login and multi-factor authentication (MFA).

A good option is to create a Conditional Access policy that requires MFA (Require multi-factor authentication). Set this for our Enterprise application, which we've named FortiGate SSL VPN here. A more detailed procedure is provided in Azure AD Conditional Access.

Identifying Company Devices When Accessing VPN

I think it's a legitimate requirement (some standards require that we can only allow managed devices into the internal network) when we want to allow connection to (a certain type of) VPN only from company or approved computers. But how to identify them during connection?

Client-side Checks

One option could be to perform certain checks on the client (Host Check). However, for this, we need the paid version of FortiClient (not supported in the free version FortiClient VPN 6.2 and newer).

According to information, it has been added back to the free version FortiClient VPN 7.0.3 - FortiGate-powered host check for free VPN client.

Computer Certificate Authentication

Another option is to issue a certificate to the given computers. The VPN connection is set to require it. In FortiClient, the certificate is selected and used at the beginning of the connection (followed by standard login with username and password).

However, the problem arises when we want to use SAML. As soon as we check Enable Single Sign On (SSO) for VPN Tunnel in FortiClient, the option to select a Client Certificate disappears. I tried to set everything through an XML configuration file, but FortiClient doesn't use the certificate when connecting to FortiGate.

FortiClient nastavení připojení - ověření certifikátu

Conditional Access and Azure AD Joined or Compliant Devices

I've newly described this area in the article FortiGate SSL VPN login using SAML SSO against Azure AD.

Using the features of Azure AD seems the best to me. In the Conditional Access policy, we can allow access only from certain devices (Compliant Device Requirement).

There are two main options:

  • Require Hybrid Azure AD joined device
  • Require device to be marked as compliant

During login, device authentication (Device Authentication) also occurs, and the entire authentication passes if the user is successfully authenticated and the given conditions are met. In the policy, we can set that for logging into FortiGate SSL VPN, a device joined to the domain is required (Hybrid Azure AD Join). If we use Microsoft Edge and log into the web SSL VPN, we connect from a domain-joined device. If it's not in the domain, we get information and can't connect.

Update. If we have new versions of both FortiOS and FortiClient, this is indeed the best option. I've been adding information below and now have practical experience. For authentication, we use an external (default) browser. Edge, Chrome, and Firefox are supported (all on Windows, according to documentation something should work on macOS too, but I haven't got that working yet). In the Conditional Access policy, we allow access only from Hybrid Azure AD joined devices (requiring compliant devices through Intune would probably work the same). During login, Device Authentication occurs, and only if it passes, we are logged in. It might be useful to adjust the Session - Sign-in frequency item in the Conditional Access policy to a reasonable value (several hours). Because otherwise, in most cases, automatic login (SSO) occurs for many days. This might not be entirely safe for VPN (if we don't have super-secured computers and logins to them).

The problem arises when we try to connect using FortiClient. Even if we're connecting from the correct device, we can't connect. We get information that our browser is not supported.

FortiClient jako nepodporovaný prohlížeč pro Azure Device Identificati

Detecting device-specific details (Device-Specific Details) requires device authentication (Device Authentication). This is supported only on certain combinations of operating system and browser Supported browsers. On Windows 10, Microsoft Edge is supported (the user must be logged in), Internet Explorer and Google Chrome after installing the Windows 10 Accounts extension.

Updated - support has also been added to Firefox from version 91. It must first be enabled in the Privacy & Security settings - Allow Windows single sign-on ... (Windows SSO).

The problem is that FortiClient uses an integrated browser that does not support device information retrieval. Therefore, we cannot use these restrictions in Azure AD.

Updated 27.8.2021 - FortiClient SAML authentication in an external browser

I found out that FortiClient 7.0.1 added an option (checkbox in the VPN connection configuration) Use external browser as user-agent for saml user authentication. This is available if we enable Enable Single Sign On (SSO) for VPN Tunnel. Alternatively, it can be set in the XML configuration

<use_external_browser>1</use_external_browser>
FortiClient 7.0.1 nastavení SAML a externí prohlížeč

I found a nice description in the article Using a browser as an external user-agent for SAML authentication in an SSL VPN connection. Unfortunately, configuration on FortiGate is also required, which is available only from FortiOS 7.0.1.

config vpn ssl settings
    set saml-redirect-port 8020
end

So I haven't practically tested it. If FortiClient 7.0.1 is set, no change occurs and the integrated browser still opens.

Updated 4.4.2022 - I upgraded to FortiOS 7.0.5 (which has a number of issues) and tested that using the default browser really works. FortiClient opens the address https://127.0.0.1:8020 in the browser (according to the defined port on FortiGate).

Author:

Related articles:

Fortinet FortiGate and more

Fortinet security solutions. Mostly focused on the Next Generation Firewall (NGFW) FortiGate. Configuration of FW, policies, NAT, but also VPN and authentication options. Marginally working with logs using FortiAnalyzer and with clients using FortiClient EMS.

Azure, Microsoft 365, Office 365, Cloud

Various popular topics regarding the public cloud. More focused on Microsoft services, i.e. IaaS, PaaS, SaaS Azure, Entra ID directory services (formerly Azure AD) and hosted Microsoft 365 / Office 365 services.

If you want write something about this article use comments.

Comments
  1. [1] Samuraj

    Kvůli testům jsem zkusil Host Check a FortiClient VPN 7.0.1 (a SAML autetnizaci), kde by tedy neměl fungovat a neměl bych se připojit do VPN. K mému překvapení jsem se bez problémů připojil. Zkusil jsem hledat a v mnoha verzích FortiClient je uveden bug 709001 SSL VPN host check validation does not work for SAML user.

    Zkusil jsem jinou autentizaci a nepřipojil jsem se. Ale přijde mi, že bug ve FortiClient by neměl obejít kontrolu na FortiOS. Navíc ve FortiClient 7.0.1 mělo být opraveno. Tak nevím.

    Friday, 13.08.2021 13:07 | answer
  2. [2] adriano33030

    Skúsil som to na FortiGate 61E - 6.4.6 + FortiClient 6.4.1 a funguje to až prekvapivo dobre. Ďakujem za super článok ;-)

    Mám otázku: dajú sa vo firewalle aplikovať pravidla podľa užívateľov?

    Teraz môžem pracovať len so skupinami

    Wednesday, 20.10.2021 13:08 | answer
  3. [3] Bárt

    Nefunguje připojení z FortiClienta 7.0.7 při aktivní kontrole host-check (known issue #727695).

    Wednesday, 21.09.2022 08:56 | answer
  4. [4] Tomas

    "Když chceme vytvořit více skupin, odpovídajících skupinám v Azure AD, tak definujeme pravidlo, kde jako Group Name zadáme Object Id skupiny v Azure AD" - mozte mi to prosim niekto vysvetlit? Lebo ked pridam dalsiu skupinu tak mam chybu "SAML group mismatch". Uzivatelia s prvej funguju ale z druhej skupiny nie.

    Saturday, 30.09.2023 22:46 | answer
  5. [5] Samuraj

    respond to [4]Tomas: Když to nastavíte správně, jak je uvedeno v popisu, tak to funguje. Předáváte správně atribut skupiny? Případně jestli jsou skupiny správně definovány na obou stranách.

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Azure-SAML-group-mismatch-getting-error-remote/ta-p/204991

    Tuesday, 03.10.2023 14:38 | answer
  6. [6] Tomas

    Dobry den,

    omylom som dal rovnake Object ID. Uz to funguje. Dakujem za pomoc ;-)

    Friday, 20.10.2023 22:51 | answer
  7. [7] Dominik

    Ahoj, diky za super navod, vse funguje perfektne, akorat mam problem, pri prihlaseni pres saml to napise invalid certificate a musim dat continue unsafe, v ssl settings mam certifikat fortinet_factory, je potreba si vygenerovat lets encrypt? Bohuzel mame jen jednu public ip a na ni je mail server. Setkal jste se s timto problemem? Dekuji

    Tuesday, 19.03.2024 10:38 | answer
  8. [8] Martin57

    Super clanek, stale aktualni, diky. Funguje to 99% OK, momentalne resim to 1% :))) jednoho uzivatele (forticlient v.7.4.0.1658), ktery ma problem, v SAML response AD posila misto jednotlivych skupin proste "groups.link" (s odkazem na microsoft graph)...

    Nasel jsem

    Notes:

    If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user.

    zdroj: (https://learn.microsoft.com/en-us/entra/identity-platform/reference-saml-tokens)

    ale muj uzivatel zda se nepresahuje 150 skupin... takze resim dal...

    Friday, 27.09.2024 17:53 | answer
  9. [9] Samuraj

    respond to [8]Martin57: Toto je zajímavá informace a možná jsem narazil na to samé. Používáme spoustu on-prem skupin a někteří uživatelé jsou členem třeba 80. Řešil jsem již problémy s Kerberos SSO www.samuraj-cz.com/clanek/kerberos-autentizace-a-clenstvi-ve-skupinach/.

    Replikaci do Entra ID jsme dělali postupně. Až jsme si řekli, že tam dáme vše a v tu chvíli přestalo několika lidem fungovat přihlášení do VPN. Napadla mne hned souvislost s počtem skupin, tak jsem nedůležité vyřadil z replikace a přihlášení zase fungovalo.

    Dále jsem nepátral. A řekl bych, že 150 skupin jsme nedosáhli. Ale s počtem skupin to bude souviset.

    Friday, 04.10.2024 09:29 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)