Fortinet/FortiGate VPN IPSec through SAML

Yoann Traut -

Overview

In this guide, we demonstrate the Fortigate integration with the RCDevs Identity Provider through SAML.

The flow typically works as follows:

  1. The client initiates an IPSec VPN connection to the FortiGate.
  2. FortiGate triggers SAML authentication (via a configured SAML SSO profile) and redirects the client (browser or embedded) to the IdP login/consent page.
  3. The IdP authenticates the user (and optionally performs MFA, group/role checks) and issues a SAML assertion containing user attributes.
  4. FortiGate receives the SAML assertion, validates it, maps incoming user/group attributes to FortiGate user groups and grants VPN access.
  5. The IPSec tunnel is established with user identity and optionally group policy enforced.

This integration enables you to leverage your centralized RCDevs IdP for user authentication, group membership and policies, rather than managing local accounts on the FortiGate. It also supports granular access control based on IdP groups. SAML-based authentication for FortiClient remote access dial-up IPSec VPN clients is supported in FortiOS version 7.6.4 (and prior in 7.2+) with FortiClient version 7.2+.
Refer to Fortinet documentation for extensive details.

This integration requires WebADM/OpenOTP server(s) to be running and the RCDevs Identity Provider to be configured.

SAML-IdP configuration on Fortigate

Refer to the following FortiGate documentation to set up a SAML Identity Provider.

The required information for your RCDevs Identity Provider can be obtained from your SAML metadata page, typically at:

https://sso.rcdevsdocs.com/ws/saml/

This page provides an output similar to the following:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sso.rcdevsdocs.com">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIIGfzCCBGegAwIBAgIRAM9/TyvDiZAahDgzYkWGRdIwDQYJKoZIhvcNAQELBQAwUjEXMBUGA1UEAwwOUkNEZXZzIERvY3MgQ0ExCzAJBgNVBAsMAkNBMR0wGwYDVQQKDBRSQ0RldnMgRG9jdW1lbnRhdGlvbjELMAkGA1UEBhMCTFUwHhcNMjQwNzE1MTM0OTA3WhcNMzQwNzEzMTM0OTA3WjBgMRswGQYDVQQDDBJXZWJBRE0gQ2VydGlmaWNhdGUxDzANBgNVBA0MBlNFUlZFUjEXMBUGA1UECgwOUkNEZXZzIFN1cHBvcnQxFzAVBgNVBGEMDlZBVExVLTAwMDAwMDAwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1w3PR1Q+78jdD12g4Di3ljcthoZwvpQuwmuOm/+fBthQjrHR1UIY3HDkulCOYpBRiNNj6ED49eyF9jIeO/zVO5QXnzX4gmasZPd06ZYAD8pkDc7fnnxZD4aSHDKQcF1xwUnHESUCPzWR1Wy3t6ifwl85uRuC+QlskMv4t82LqeMQeSBdeBqNpADm9Hmg8AO5BK4Oz/NNooB46P5RYDEerY1D/qOfLkuzEDr2C2Z1rGvtG7+7EpaS+b9Ipnz/fT71QACPxJym98YWEp/1Fb/clC6QLKQuQ+AzheTVZyyeOhOYFxsoGEu+wDFAERXWWAr5sPnayDJiZdXbH+712ri35y9oFWOxZC1diATOS/MRc05bAzgAbyiQe1PrhDfwRiL4YF0EtLvuZJGBH031DZS3THdYSeONDhsImbNYFYLPpzRqb5iXssN+KBPAdCfYJ2IMfjAV4li0s1WSC40iZ5MAkwovE0HD++DVO2HHBJ9hYl6aqa35lGm/QSjkUYvw2xX3kvc3utPQcqUkYDWzF7tLIMpTzO6FtD1pR/FR6DKkqmx9NhLMdIi9eNGK4MG+MgKwCXhE1I6aJxVoRCbAihb0wgnR+Y38P4bJUYzvDCC4upE3DLc+ct5VJ/rtCo9UDyVQGsLDD9cDoywdr6feM/Pou+LpccVNAHul1FJ9CPKxyVECAwEAAaOCAUAwggE8MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAKBggrBgEFBQcDATCBygYIKwYBBQUHAQEEgb0wgbowJgYIKwYBBQUHMAGGGmh0dHA6Ly8xOTIuMTY4LjQuMTYwL29jc3AvMCYGCCsGAQUFBzABhhpodHRwOi8vMTkyLjE2OC40LjE2MS9vY3NwLzAzBggrBgEFBQcwAoYnaHR0cDovLzE5Mi4xNjguNC4xNjAvY2FjZXJ0Lz9mb3JtYXQ9ZGVyMDMGCCsGAQUFBzAChidodHRwOi8vMTkyLjE2OC40LjE2MS9jYWNlcnQvP2Zvcm1hdD1kZXIwSwYDVR0fBEQwQjAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjAvY3JsLzAfoB2gG4YZaHR0cDovLzE5Mi4xNjguNC4xNjEvY3JsLzANBgkqhkiG9w0BAQsFAAOCAgEACy/zl7IPSaOn2wEZ66xQNxm9FW408jMrQS2Y6hFvfzRMNhbOh+ZwNFSgCijUJ4ASZVQeZIiYN8f/quH80Y7AJE3kcTpXvJE2LozDbUMsXe0GpkNuzDojbp3K2ZcgUitL0q/rDHPBXXExl1AEhPgpwN1I7ZyHPfZpU92XxcsoSrUi8AMmzoVwlna30RMkkCDDBsf+an1uxdrdwMQLeQddOFddAUI80NWvh0drnv1epkT34K+RpvEAU514a3suErDMIqp+h7BqTdPrdiRkIhTutgSsPquhGIDzv+WvGBzFGWPAfudQHE5jMn3lPgN3r75HrdNfMkVEv0jclpp3VhiUnwQzNQn2UzVe7LQh8ixjEg1kwtIQ8UuwX6LOZ7a51WuKkRfS1iw1yDCM1UmGNuoMGqI6bxwFbBZ1C3brgJKjXBciEpXrSpcJ+ulhDYYUrCmGnpg6xyJ6veWfT2tVExLcffv4edT0KCJuKsyTztLFtT9A9ihyV/lPBsVUtIipe2CaCXupP84812s0cgo6XkcAr99pvtPNLZg9aBLuVt7GmyJSQeLJ6z+QWlkKnsEh7HlSrV2RC/wsTYlTeTRZFmiNa1RGx4UsNyTf9Igp+EG4Nh/UBhGO1Jkn1dIRZyb/qgcF/DWCSdbwFIKxuaKA12KFJMFS4aMV1e0QLDhLfpZ1/10=
</X509Certificate>
<!--
 Cert Fingerprint (SHA1): 32774463a2e892150f46852b3fdcac7f5be924dc 
-->
<!--
 Cert Fingerprint (SHA256): e0bd10584f5c3a554e279b9241619e8fdf9c3bfbe95c90da939f0342546e52ac 
-->
<!--
 Cert Fingerprint (MD5): 639ed5b4241047c8382f897fc459a714 
-->
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.rcdevsdocs.com/openid/index.php"/>
</IDPSSODescriptor>
</EntityDescriptor>

Based on these information, the SAML settings on Fortinet configuration are:

  • Entity ID: https://sso.rcdevsdocs.com
  • Assertion consumer service (ACS) URL: https://192.168.4.253/remote/saml/login/ (IP Address of Fortigate, DNS name possible)
  • Single logout service URL : https://sso.rcdevsdocs.com/openid/index.php
  • SAML Signing Certificate : The RCDevs Identity Provider certificate can be retrived in PEM format from WebADM GUI > Applications tab > Categories > OpenID & SAML Provider > CONFIGURE > Server Certificate

Refer to the following Fortinet ressources: 1 and 2

Fortigate Configuration on the IdP

The FortiGate configuration on the RCDevs IdP involves creating a client policy and setting the required parameters for the SP.
Additionally, we must return the group values expected by FortiGate to correctly map roles after the user is authenticated and redirected.

Client policies

Let's create a Client Policy for Fortigate. Login on WebADM Administrator portal, click on Admin tab, click on Client Policies and then Add Client button. Name your client policy and optionally provide a description.

Click on the Proceed and Create Object buttons.

You are now entering the policy configurator. Configure the Default Domain, a Friendly Name (optional), and set the Client Name Aliases with the Entity ID URL configured on your Fortinet.
e.g : https://<your_fortigate_domain_or_ip>:<port>/remote/saml/metadata/.

Scroll down to Default Application Settings, click on the Enforced Settings checkbox and click Edit button. In Applications box, select OpenID & SAML Provider and configure as follow:

The username and group name attributes configured on the FortiGate entry must exactly match the username and group attributes returned by the RCDevs IdP. If the FortiGate groups do not correspond to the LDAP groups returned for the user account, you can hardcode the expected values in the Returned Attributes setting as shown below:

Configure the Assertion Consumer Service URL which can be retrieved from the Fortigate SSO configuration. (optional)

Once these setting are configured you can configure the authentication settings from the Applications box > MFA Authentication Server.

Configure the desired settings, then click Apply buttons to save the settings and the policy.

Configuration is done, you can try a login from your VPN client, then you should be redirected to your Identity Provider login page.