Configuration Guide: FortiAuthenticator as Google WorkSpace SAML IdP
We've written a number of articles showing how to use Azure as your SAML IdP, and I've collaborated with my friend, Kim Frellsen on how to use Google WorkSpace and Okta as your SAML IdP for FortiGate SSL VPN. This week, a colleague of mine decided to flip the script, and came to me asking "Hey, any idea how we use FortiAuthenticator as the SAML IdP for Google Workspace?" well now, there's a new one. Of course I said "Give me a little bit, let me explore this.", I am happy to report that this is not only doable, it's relatively simple compared to the other articles we've written on the SAML subject.
This article uses FortiAuthenticator version 6.3.2
We are using the paid version of Google WorkSpace/G Suite
You have a public DNS record that matches the subject name on your publicly signed/trusted certificate (SAN Certs are OK, Wildcards will work, but not recommended from a security standpoint)
Ok, with the boring stuff out of the way, let's get started!
Configuring FortiAuthenticator as SAML IdP
If you haven't already, you will need to enable the SAML IdP functionality in FortiAuthenticator. To enable SAML IdP on the FortiAuthenticator:
Browse to Authentication > SAML IdP > General
If this isn't visible, you may need to enable it under System > Network > Interface
Choose the interface that will be processing requests, and enable SAML IdP under services
Toggle the "Enable SAML Identity Provider Settings
Validate the devices FQDN, if it's not correct you can edit it on the dashboard
In the Server address field, specify the public DNS name you have created for the FortiAuthenticator, this will tell the FortiAuthenticator what FQDN to expect SAML requests on. You can see this as the IdP-initiated login URL will change as you edit the field
Note: The Server address states to specify either the FQDN or IP address of the device. While this is correct, I find that using the FQDN is a best practice, in the event that the device IP needs to change at a later time, you don't need to come back and edit this field, you just need to ensure your DNS entries are accurate; something you would need to do anyway. Additionally this would allow you to not care if the request is coming from and internal or external network provided your DNS resolution is set correctly
Under Realms, specify the domains/sources you'd like to authenticate against, you can add as many as you like. In this case I am only using one
View of complete settings:
That should take care of enabling SAML IdP. Before we can configure Google WorkSpace to use FortiAuthenticator for logins, we need to set it up as a Service Provider in FortiAuthenticator.
Configuring the SAML Service Provider in FortiAuthenticator
The purpose of this step is to tell FortiAuthenticator that Google WorkSpace is authorized to use the FortiAuthenticator as a SAML IdP. In short, it should expect requests from Google. You will need to set up a Service Provider in FortiAuthenticator for each application or service you want to use FortiAuthenticator as a SAML IdP for. Here's how we do this:
Browse to Authentication > SAML IdP > Service Providers
Click on Create New
SP Name: Choose a meaningful name so you can identify this easily later
IdP Prefix: This is a unique prefix so the FortiAuthenticator can tell service providers apart. I normally let the FortiAuthenticator generate a random prefix, by clicking "Generate Prefix"
Server Certificate: You can choose to use the cert specified in the SAML IdP page or specify a different one here. For this exercise I am using the default
Signing Algorithm: Leave this as the default unless you need to change it
Take note of your IdP Entity ID/Single Sign-on URL/Single logout URL. We'll need these in a bit
SP Entity ID: This was a bit difficult to find, you will need to find this in your Google WorkSpace Admin Console under "Set up single sign-on (SSO) with Google as SAML Identity Provider (IdP)" - while we won't be changing anything in here, you still need the Entity ID:
SP ACS (login) URL: https://www.google.com/a/<domain.com>/acs
Here's how it should look:
Configuring Google WorkSpace as a SAML Service Provider
Take these instructions with a grain of salt because by the time some of you read this, Google will have already changed the layout of the Google Workspace Admin Console. I say this because Google's own instructions referenced an older layout of the Admin Console. And while Google does provide relatively OK instructions, they're incomplete, hence the writing of this article.
I used the search bar up top to search for SSO related functions:
Click on "Set up single sign-on (SSO) with a third party IdP
There is very little we need to configure here, however those URLs that FortiAuthenticator configured for us will come into play here
Check the "Set up SSO with third-party identity provider" check box
Sign-in page URL: this is the value of the IdP single sign-on URL we configured in the previous section
Sign-out page URL: this is the value of the IdP single logout URL we configured in the previous section
Verification certificate: this is the certificate we used for the IdP
Use a domain specific issuer: I will check this for this exercise. It's recommended for the following reason: When multiple domains are configured to use SSO with the same IdP, a specific issuer can be parsed by the IdP to identify the correct domain name for the SAML request.
Change Password URL: this can be specified to your IdP initiated login URL, or can be left blank
It should look like this:
Signing into your Google Account with Single Sign-On
Now that we've gotten everything configured, it's time to test it out. One thing that I haven't been able to get around is that signing into Gmail (or any other Google Service for that Matter) using a 3rd party IdP has to be done using a special URL . That URL looks like this:
So in this case, we would replace "service" with mail, and "domain.com" with your Google WorkSpace domain.
Note: You can also use gmail.com though if you're logged in with multiple sessions it might be easier to use the above URL.
I tested in browser as well as on my mobile device, I am including video links to both.
Thank you for reading, I hope this helps. Madman out!