FortiGate SSL VPN Authentication with AD FS
Updated: Mar 10, 2022
Update: including steps for tunnel based VPN as well.
Update 3/10: updated assumptions
I am starting to think we've pretty much covered the gamut here with SAML and FortiGate SSL VPN authentication. However, a customer asked "What about Active Directory Federated Services?".
Well, darn it, I thought I'd covered it all.
Before we get started, I'd like to thank Jeff Carlisle for his suggestion for the topic.
FortiOS version: SAML Authentication is supported as of 6.4.0 - for this article we are using 7.0.5 (bleeding edge baby!)
AD FS is running on Microsoft Server 2019 Standard - therefore AD FS version 4 is being used in this article
You have AD FS up and running, configured properly, etc.. This article does not cover that
You have publicly trusted certs to use, any have gotten it working with self signed certs. This guide is written using publicly trusted certs
For the purposes of this article, I used a separate realm for authentication, you can use the default realm if you so choose
With all that out of the way, let's get started!
Importing the AD FS Certificate into FortiOS
Before we get to configuring, we need to import the Token Signing certificate from AD FS. The token signing certificate can be exported from AD FS > Service > Certificates, double click on the Token Signing certificate, and under the details tab, select copy to file.
For export file format, I generally use "Base-64 encoded X.509 (.CER)
On the File to Export screen, click Browse and select an easily accessible location for the file, such as the Downloads folder or Desktop (totally your call where you put this)
For this case I exported the to my Downloads folder, and gave it the name "adfs.ultraviolet.network.cer"
On the FortiGate, browse to System > Certificates - if this isn't enabled, you will need to enable Certificates from System > Feature Visibility
Click on Import and select Remote Certificate
Browse to the .cer file that you exported from ADFS
The certificate will be imported as REMOTE_Cert_X - where X is the next available number (i.e. if it's your first cert it will be REMOTE_Cert_1 and so on)
You can optionally rename this certificate by going to the CLI and typing the following commands:
config vpn certificate remote rename REMOTE_Cert_X to adfs.ultraviolet.network end
Configuring the FortiGate for SAML Authentication with AD FS
I personally prefer to use the CLI when configuring SAML, however FortiOS 7.0 introduced the ability to configure a SAML IDP for users from the GUI.
Browse to User & Authentication > Single Sign-On
Click on Create New
Give your Service Provider a meaningful name, note: this is for your reference, it doesn't need to be anything specific
Assign the appropriate hostname you wish to use for SAML properties "i.e. vpn.ultraviolet.network"
And watch the fields auto populate
In the Identity Provider Details section select Custom IdP Type
Entity ID: https://fqdn.to.adfs/adfs/services/trust
Assertion Consumer Service URL: https://fqdn.to.adfs/adfs/ls/
Single logout service URL: https://fqdn.to.adfs/adfs/ls/
These values can also be found in the metadata file downloaded from https://fqdn.to.adfs/FederationMetadata/2007-06/FederationMetadata.xml and searching for the following attributes"
Entity ID: search for 'entityID'
Assertion Consumer Service URL: search for SingleSignOnService, and look for the 'Location' attribute next to the 'Binding' attribute
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fqdn.to.adfs/adfs/ls/"/>
Single Logout service URL can be found by searching for SingleLogoutService and looking for the 'Location' attribute similar to the previous example
Certificate: Select the remote Token Signing certificate we uploaded in the last section
In the Additional SAML Attributes section assign 'username' to the Attribute used to identify users, and the same for groups
NOTE: If you are using FortiOS 7.0.5 you may end up with the following Service Provider configuration:
This is not the correct config, I have confirmed this with Fortinet. You will need to go to the CLI to correct this - this is also the CLI configuration if you choose to go this way:
config user saml edit "fqdn.to.vpn" set entity-id "https://fqdn.to.vpn/remote/saml/metadata/" #https is required for ADFS set single-sign-on-url "https://fqdn.to.vpn/remote/saml/login/" set single-logout-url "https://fqdn.to.vpn/remote/saml/logout/" set idp-entity-id "http://fqdn.to.adfs/adfs/services/trust" set idp-single-sign-on-url "https://fqdn.to.adfs/adfs/ls/" set idp-single-logout-url "https://fqdn.to.adfs/adfs/ls/" set idp-cert "vpn.cert.fqdn.cer" set user-name "username" set digest-method sha256 next end
Now that we have the SAML parameters configured, we will need to add the server to a user group:
Go to User & Authentication > User Groups > Click on Create New
Name: Give this group a meaningful name
Remote Groups: Click Add and in the remote groups drop down select the SAML SSO Server you created in the last step
Click OK again
If you already have an SSL VPN policy created, be sure to add the user group you just created to the allowed sources. If you do not, you will need to create a policy with AT LEAST (But not limited to) the following parameters:
Name: Give the policy a meaningful name
Incoming Interface: SSL-VPN Tunnel Interface
Outgoing Interface: The intended egress interface
Source: the source SSL VPN address object (SSLVPN_TUNNEL_ADDR1 if default) AND the user group we created above
Destination: The IP ranges you wish these users to have access to
Service: Select the services you wish to allow
It's recommended you set security profiles in accordance with your organizational security policy
If you are planning on using a separate (not the default) realm for AD FS SAML users, then you need to create the realm, and if you so choose use the virtual host you wish for users to connect to. Make sure this URL matches the SAML configuration above.
Ensure that you have created the appropriate user group / realm to portal mappings under VPN > SSL-VPN Settings, it should look something like this:
Configuring Active Directory Federated Services
In this section we will configure the FortiGate as a service provider on the AD FS server.
In AD FS Manager go to AD FS > Relying Party Trusts and click on "Add Relying Party Trust..."
On the Welcome screen, select 'Claims Aware' and click 'Start'
On the Select Data Source screen, select 'Enter data about the relying party manually' and Click 'Next'
Display Name: enter a meaningful name here - Click 'Next'
Click 'Next' on the Configure Certificate page, or optionally you can configure a certificate that the FortiGate will use to communicate (Don't forget to specify on the FortiGate)
On Configure URL tick the 'Enable support for the SAML 2.0 WebSSO protocol'
Relying party SAML 2.0 SSO service URL: https://fqdn.to.vpn/remote/saml/metadata/
On Configure Identifier:
Relying party trust identifier: https://fqdn.to.vpn/remote/saml/metadata/
Choose your Access Control Policy - in this configuration I will use Permit everyone, however you will need to choose the policy that complies with your organization security policy
On the Ready to Add Trust page, click 'Next'
On the Finish page, check 'Configure claims issuance policy for this application' and click 'Done'
When the 'Edit Claim Issuance Policy for...' window appears click on 'Add Rule'
In the 'Claim rule template' field, accept the default of 'Send LDAP Attributes Claims' and click 'Next'
Claim rule name: give this a meaningful name
Attribute store: in this case I am selecting Active Directory, you will need to select the appropriate attribute store for your organization
Mapping of LDAP Attributes to outgoing claim types - the most common are either going to be userPrincipalName or sAMAccountName, know the caveats of each, in this demonstration I will select sAMAccountName
With sAMAccountName the users will log in with DOMAIN\username
It's important that you configure the attribute you select twice, and set the Outgoing Claim Type to the following:
Click 'Apply' - and then 'OK'
We still need to add the SAML endpoints to the Relying Party Trust:
Right Click on the Relying Party Trust you just created and click on 'Properties'
On the 'Endpoints' tab, click 'Add SAML'
Endpoint Type: SAML Assertion Consumer
Set the trusted URL as default: checked
Trusted URL: https://fqdn.to.vpn/remote/saml/login/
Now we'll add the logout URL - click 'Add SAML
Endpoint Type: SAML Logout
Trusted URL: https://fqdn.to.vpn/remote/saml/logout/
Click 'OK' to exit the properties dialog
And now we test:
In the client ensure you have ticked the "Enable Single Sign On (SSO) for VPN tunnel":
Use the same URL/FQDN you used in web mode. And that's it!
Thank you for reading, I hope this helps.