• Matt Sherif

FortiGate SSL VPN Authentication with AD FS

Updated: Mar 10

Update: including steps for tunnel based VPN as well.


Update 3/10: updated assumptions


I am starting to think we've pretty much covered the gamut here with SAML and FortiGate SSL VPN authentication. However, a customer asked "What about Active Directory Federated Services?".


Well, darn it, I thought I'd covered it all.


Before we get started, I'd like to thank Jeff Carlisle for his suggestion for the topic.


Assumptions:


  • FortiOS version: SAML Authentication is supported as of 6.4.0 - for this article we are using 7.0.5 (bleeding edge baby!)

  • AD FS is running on Microsoft Server 2019 Standard - therefore AD FS version 4 is being used in this article

  • You have AD FS up and running, configured properly, etc.. This article does not cover that

  • You have publicly trusted certs to use, any have gotten it working with self signed certs. This guide is written using publicly trusted certs

  • For the purposes of this article, I used a separate realm for authentication, you can use the default realm if you so choose

With all that out of the way, let's get started!


Importing the AD FS Certificate into FortiOS


Before we get to configuring, we need to import the Token Signing certificate from AD FS. The token signing certificate can be exported from AD FS > Service > Certificates, double click on the Token Signing certificate, and under the details tab, select copy to file.

  • For export file format, I generally use "Base-64 encoded X.509 (.CER)

  • On the File to Export screen, click Browse and select an easily accessible location for the file, such as the Downloads folder or Desktop (totally your call where you put this)

  • For this case I exported the to my Downloads folder, and gave it the name "adfs.ultraviolet.network.cer"

  • On the FortiGate, browse to System > Certificates - if this isn't enabled, you will need to enable Certificates from System > Feature Visibility

  • Click on Import and select Remote Certificate

  • Browse to the .cer file that you exported from ADFS

  • The certificate will be imported as REMOTE_Cert_X - where X is the next available number (i.e. if it's your first cert it will be REMOTE_Cert_1 and so on)

  • You can optionally rename this certificate by going to the CLI and typing the following commands:

config vpn certificate remote
    rename REMOTE_Cert_X to adfs.ultraviolet.network
end


Configuring the FortiGate for SAML Authentication with AD FS


I personally prefer to use the CLI when configuring SAML, however FortiOS 7.0 introduced the ability to configure a SAML IDP for users from the GUI.


  • Browse to User & Authentication > Single Sign-On

  • Click on Create New

  • Give your Service Provider a meaningful name, note: this is for your reference, it doesn't need to be anything specific

  • Assign the appropriate hostname you wish to use for SAML properties "i.e. vpn.ultraviolet.network"

  • And watch the fields auto populate


  • Click Next

  • In the Identity Provider Details section select Custom IdP Type

  • Entity ID: https://fqdn.to.adfs/adfs/services/trust

  • Assertion Consumer Service URL: https://fqdn.to.adfs/adfs/ls/

  • Single logout service URL: https://fqdn.to.adfs/adfs/ls/

  • These values can also be found in the metadata file downloaded from https://fqdn.to.adfs/FederationMetadata/2007-06/FederationMetadata.xml and searching for the following attributes"

  • Entity ID: search for 'entityID'

  • Assertion Consumer Service URL: search for SingleSignOnService, and look for the 'Location' attribute next to the 'Binding' attribute

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fqdn.to.adfs/adfs/ls/"/>

  • Single Logout service URL can be found by searching for SingleLogoutService and looking for the 'Location' attribute similar to the previous example


  • Certificate: Select the remote Token Signing certificate we uploaded in the last section

  • In the Additional SAML Attributes section assign 'username' to the Attribute used to identify users, and the same for groups

  • Click 'Submit'

NOTE: If you are using FortiOS 7.0.5 you may end up with the following Service Provider configuration:

This is not the correct config, I have confirmed this with Fortinet. You will need to go to the CLI to correct this - this is also the CLI configuration if you choose to go this way:

config user saml
    edit "fqdn.to.vpn"
        set entity-id "https://fqdn.to.vpn/remote/saml/metadata/"
        #https is required for ADFS
        set single-sign-on-url "https://fqdn.to.vpn/remote/saml/login/"
        set single-logout-url "https://fqdn.to.vpn/remote/saml/logout/"
        set idp-entity-id "http://fqdn.to.adfs/adfs/services/trust"
        set idp-single-sign-on-url "https://fqdn.to.adfs/adfs/ls/"
        set idp-single-logout-url "https://fqdn.to.adfs/adfs/ls/"
        set idp-cert "vpn.cert.fqdn.cer"
        set user-name "username"
        set digest-method sha256
    next
end

Now that we have the SAML parameters configured, we will need to add the server to a user group:


  • Go to User & Authentication > User Groups > Click on Create New

  • Name: Give this group a meaningful name

  • Remote Groups: Click Add and in the remote groups drop down select the SAML SSO Server you created in the last step

  • Click OK

  • Click OK again

If you already have an SSL VPN policy created, be sure to add the user group you just created to the allowed sources. If you do not, you will need to create a policy with AT LEAST (But not limited to) the following parameters:

  • Name: Give the policy a meaningful name

  • Incoming Interface: SSL-VPN Tunnel Interface

  • Outgoing Interface: The intended egress interface

  • Source: the source SSL VPN address object (SSLVPN_TUNNEL_ADDR1 if default) AND the user group we created above

  • Destination: The IP ranges you wish these users to have access to

  • Schedule: Always

  • Service: Select the services you wish to allow

  • Action: Accept

  • NAT: Disabled

  • It's recommended you set security profiles in accordance with your organizational security policy

If you are planning on using a separate (not the default) realm for AD FS SAML users, then you need to create the realm, and if you so choose use the virtual host you wish for users to connect to. Make sure this URL matches the SAML configuration above.


Ensure that you have created the appropriate user group / realm to portal mappings under VPN > SSL-VPN Settings, it should look something like this:



Configuring Active Directory Federated Services


In this section we will configure the FortiGate as a service provider on the AD FS server.


  • In AD FS Manager go to AD FS > Relying Party Trusts and click on "Add Relying Party Trust..."

  • On the Welcome screen, select 'Claims Aware' and click 'Start'

  • On the Select Data Source screen, select 'Enter data about the relying party manually' and Click 'Next'

  • Display Name: enter a meaningful name here - Click 'Next'

  • Click 'Next' on the Configure Certificate page, or optionally you can configure a certificate that the FortiGate will use to communicate (Don't forget to specify on the FortiGate)

  • On Configure URL tick the 'Enable support for the SAML 2.0 WebSSO protocol'

  • Relying party SAML 2.0 SSO service URL: https://fqdn.to.vpn/remote/saml/metadata/

  • Click 'Next'

  • On Configure Identifier:

  • Relying party trust identifier: https://fqdn.to.vpn/remote/saml/metadata/

  • Click 'Add'

  • Click 'Next'

  • Choose your Access Control Policy - in this configuration I will use Permit everyone, however you will need to choose the policy that complies with your organization security policy

  • On the Ready to Add Trust page, click 'Next'

  • On the Finish page, check 'Configure claims issuance policy for this application' and click 'Done'

  • When the 'Edit Claim Issuance Policy for...' window appears click on 'Add Rule'

  • In the 'Claim rule template' field, accept the default of 'Send LDAP Attributes Claims' and click 'Next'

  • Configure Rule:

  • Claim rule name: give this a meaningful name

  • Attribute store: in this case I am selecting Active Directory, you will need to select the appropriate attribute store for your organization

  • Mapping of LDAP Attributes to outgoing claim types - the most common are either going to be userPrincipalName or sAMAccountName, know the caveats of each, in this demonstration I will select sAMAccountName

  • With sAMAccountName the users will log in with DOMAIN\username

  • It's important that you configure the attribute you select twice, and set the Outgoing Claim Type to the following:

  • Click 'Finish'

  • Click 'Apply' - and then 'OK'

We still need to add the SAML endpoints to the Relying Party Trust:


  • Right Click on the Relying Party Trust you just created and click on 'Properties'

  • On the 'Endpoints' tab, click 'Add SAML'

  • Endpoint Type: SAML Assertion Consumer

  • Binding: POST

  • Set the trusted URL as default: checked

  • Index: 1

  • Trusted URL: https://fqdn.to.vpn/remote/saml/login/

  • Click 'OK'

  • Now we'll add the logout URL - click 'Add SAML

  • Endpoint Type: SAML Logout

  • Binding: POST

  • Trusted URL: https://fqdn.to.vpn/remote/saml/logout/

  • Click 'OK'

  • Click 'OK' to exit the properties dialog

And now we test:


Web mode:


Tunnel Mode:

In the client ensure you have ticked the "Enable Single Sign On (SSO) for VPN tunnel":


Use the same URL/FQDN you used in web mode. And that's it!



Thank you for reading, I hope this helps.


Madman out!

516 views

Recent Posts

See All

In a previous post we talked about setting up FortiGate SSL VPN authentication and Azure MFA using Azure MFA extension for NPS, which...