Skip to main content

FortiGate SSL VPN SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Acceptto™, as a SAML provider, improves the user login experience for FortiGate VPN users with its intelligent and convenient MFA.

Prerequisites

  • Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • FortiGate UTM user account with administrative access

  • User account with administrative privileges for the Acceptto eGuardian dashboard.

FortiGate configuration

In this section, you'll configure FortiGate as a service provider.

  1. Download the SAML metadata and certificate for your organization from Acceptto.

    Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Log in to your FortiGate UTM as an administrator.

  3. Go to System > Certificates.

    FortiGate certificates
  4. Click Create/Import and select Remote Certificate.

    Add Remote Certificate
  5. Click Add to upload the Acceptto certificate downloaded in Step 1.

  6. Log in to FortiGate via Secure Shell Protocol (SSH) and enter the following commands to configure it as a SAML Service Provider (SP):

    FortiGate #config user saml
    FortiGate (saml) #edit "<enter a unique name for the SAML configuration>"
    //For example, edit "Acceptto"
    FortiGate #set cert "SP certificate that set on the SSL-VPN"
    //For example, set cert "example.com.pfx"
    FortiGate (Acceptto) #set entity-id "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/metadata/"
    //For example, set entity-id "https://forti.example.com:4443/remote/saml/metadata/"
    FortiGate (Acceptto) #set single-sign-on-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/login/"
    //For example, set single-sign-on-url "https://forti.example.com:4443/remote/saml/login/"
    FortiGate (Acceptto) #set single-logout-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/logout/"
    //For example, set single-logout-url "https://forti.example.com:4443/remote/saml/logout/"
    FortiGate (Acceptto) #set idp-entity-id "<entityID value from the Acceptto metadata file>"
    //For example, set idp-entity-id "https://sso.acceptto.com/<yourorganization>/saml"
    FortiGate (Acceptto) #set idp-single-sign-on-url "<SingleSignOn value from the Acceptto metadata file>"
    //For example, set idp-single-sign-on-url "https://sso.acceptto.com/<yourorganization>/saml/auth"
    FortiGate (Acceptto) #set idp-single-logout-url "<SingleLogout value from the Acceptto metadata file>"
    //For example, set idp-single-logout-url "https://sso.acceptto.com/<yourorganization>/saml/logout"
    FortiGate (Acceptto) #set idp-cert "Acceptto certificate uploaded to FortiGate"
    //For example, set idp-cert "REMOTE_Cert_1"
    FortiGate (Acceptto) #set user-name "enter value for user attribute mapping on IDP"
    //For example, set user-name "username"
    FortiGate (Acceptto) #set digest-method sha1
    FortiGate (Acceptto) #next
    FortiGate (saml) #endFortiGate (saml) #end

    Note: Check your SAML configuration with the following command:

    FortiGate #show user saml
  7. Return to your FortiGate UTM admin portal and go to User & Authentication > User Group.

    User Groups
  8. Click Create New and set the following configurations:

    • Name – Set to a unique name.

      For example, saml-Acceptto-group.

    • Type – Select Firewall.

    • Remote Groups – Click Add and select the Acceptto SAML configuration.

    Add User Groups
  9. Click OK to save the configuration.

  10. Go to Policy & Object > Firewall Policy and edit the policy related to your SSL-VPN.

    Firewall policy
  11. Edit the Source field and add the User Group created in Step 8.

    Edit firewall policy
  12. Click OK to save the configuration.

  13. Go to VPN > SSL-VPN Settings.

    SSL-VPN settings
  14. In the Authentication/Portal Mapping section, click Create New.

  15. Set the following configurations:

    • Users/Groups – Select the User Group created in Step 8.

    • Portal – Select the type of portal you are going to provide.

      The options are: full-access, tunnel access, or web access.

    New portal mapping
  16. Click OK.

  17. Click Apply to save the configuration.

  18. In the FortiGate console, change the authentication timeout to 60 seconds with the following commands:

    config system global
    set remoteauthtimeout 60
    end

Acceptto SAML configuration as an Identity Provider (IdP)

In this section, you will add an application for FortiGate and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    • Name – Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

      For example, FortiGate.

    • Type – Set to SAML Service Provider.

    • Out of Band Methods – Select the allowed methods end users can choose to approve MFA requests.

      For example, It'sMe app (push notifications), SMS, or Security Key.

    • Message for MFA Requests – (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    Add FortiGate application
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    • Issuer or Entity ID – Enter the same EntityID set during FortiGate configuration.

      For example, https://forti.example.com:4443/remote/saml/metadata/.

    • Sign in URL – Enter the same Sign in URL set during FortiGate configuration.

      For example, https://forti.example.com:4443/remote/saml/login/.

    • NameID Format – Set to Email Address.

    • Name Identifier – Set to Email.

    • Single Logout URL – Enter the same Single Logout URL set during FortiGate configuration.

      For example, https://forti.example.com:4443/remote/saml/logout/.

    • Algorithm – Set to RSA-SHA1.

    SAML configuration
  5. Go to the Add New Attribute Assertion section and set the following configurations:

    Note: The Name value must match with the user-name value set during FortiGate configuration.

    • Friendly Name – Set to username.

    • Name – Set to username.

    • Value – Set to mail.

    • Name Format – Leave unspecified.

    Add attributes
  6. Click Save.

Test your application integration

  1. Go to your FortiGate VPN URL.

    For example, https://forti.example.com.

    Edit VPN connection

    Alternatively, create a connection on Forticlient and click SAML Login.

    FortiClient SAML login
  2. You will be redirected to the Acceptto SSO page.

    SSO login
  3. After successful authentication, select your preferred MFA method to approve access to the FortiGate VPN.

    Select MFA method
  4. Finally, your connection to the FortiGate VPN is established.

    FortiGate VPN connected

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.