FortiGate SSL VPN SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Acceptto™, as a SAML provider, improves the user login experience for FortiGate VPN users with its intelligent and convenient MFA.

Prerequisites

Acceptto account with a configured Identity Provider and LDAP Agent.
For more information, see the LDAP Agent deployment guide.
FortiGate UTM user account with administrative access
User account with administrative privileges for the Acceptto eGuardian dashboard.

FortiGate configuration

In this section, you'll configure FortiGate as a service provider (SP).

Download the SAML metadata and certificate for your organization from Acceptto.
Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert
Log in to your FortiGate UTM as an administrator.
Go to System > Certificates.
Click Create/Import and select Remote Certificate.
Click Add to upload the Acceptto certificate downloaded in Step 1.

Log in to FortiGate via Secure Shell Protocol (SSH) and enter the following commands to configure it as a SAML Service Provider (SP):

FortiGate #config user saml

FortiGate (saml) #edit "<enter a unique name for the SAML configuration>"
//For example, edit "Acceptto"

FortiGate #set cert "SP certificate that set on the SSL-VPN"
//For example, set cert "example.com.pfx"

FortiGate (Acceptto) #set entity-id "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/metadata/"
//For example, set entity-id "https://forti.example.com:4443/remote/saml/metadata/"

FortiGate (Acceptto) #set single-sign-on-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/login/"
//For example, set single-sign-on-url "https://forti.example.com:4443/remote/saml/login/"

FortiGate (Acceptto) #set single-logout-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/logout/"
//For example, set single-logout-url "https://forti.example.com:4443/remote/saml/logout/"

FortiGate (Acceptto) #set idp-entity-id "<entityID value from the Acceptto metadata file>"
//For example, set idp-entity-id "https://sso.acceptto.com/<yourorganization>/saml"

FortiGate (Acceptto) #set idp-single-sign-on-url "<SingleSignOn value from the Acceptto metadata file>"
//For example, set idp-single-sign-on-url "https://sso.acceptto.com/<yourorganization>/saml/auth"

FortiGate (Acceptto) #set idp-single-logout-url "<SingleLogout value from the Acceptto metadata file>"
//For example, set idp-single-logout-url "https://sso.acceptto.com/<yourorganization>/saml/logout"

FortiGate (Acceptto) #set idp-cert "Acceptto certificate uploaded to FortiGate"
//For example, set idp-cert "REMOTE_Cert_1"

FortiGate (Acceptto) #set user-name "enter value for user attribute mapping on IDP"
//For example, set user-name "username"

FortiGate (Acceptto) #set digest-method sha1

FortiGate (Acceptto) #next

FortiGate (saml) #endFortiGate (saml) #end

Note: Check your SAML configuration with the following command:

FortiGate #show user saml

Return to your FortiGate UTM admin portal and go to User & Authentication > User Group.
Click Create New and set the following configurations:
- Name – Set to a unique name.
  For example, saml-Acceptto-group.
- Type – Select Firewall.
- Remote Groups – Click Add and select the Acceptto SAML configuration.
Click OK to save the configuration.
Go to Policy & Object > Firewall Policy and edit the policy related to your SSL-VPN.
Edit the Source field and add the User Group created in Step 8.
Click OK to save the configuration.
Go to VPN > SSL-VPN Settings.
In the Authentication/Portal Mapping section, click Create New.
Set the following configurations:
- Users/Groups – Select the User Group created in Step 8.
- Portal – Select the type of portal you are going to provide.
  The options are: full-access, tunnel access, or web access.
Click OK.
Click Apply to save the configuration.
In the FortiGate console, change the authentication timeout to 60 seconds with the following commands:
```
config system global
set remoteauthtimeout 60
end
```

Acceptto SAML configuration as an Identity Provider (IdP)

In this section, you will add an application for FortiGate and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

Log in to the Acceptto Dashboard with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
- Name – Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
  For example, FortiGate.
- Type – Set to SAML Service Provider.
- Out of Band Methods – Select the allowed methods end users can choose to approve MFA requests.
  For example, It'sMe app (push notifications), SMS, or Security Key.
- Message for MFA Requests – (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
- Issuer or Entity ID – Enter the same EntityID set during FortiGate configuration.
  For example, https://forti.example.com:4443/remote/saml/metadata/.
- Sign in URL – Enter the same Sign in URL set during FortiGate configuration.
  For example, https://forti.example.com:4443/remote/saml/login/.
- NameID Format – Set to Email Address.
- Name Identifier – Set to Email.
- Single Logout URL – Enter the same Single Logout URL set during FortiGate configuration.
  For example, https://forti.example.com:4443/remote/saml/logout/.
- Algorithm – Set to RSA-SHA1.
Go to the Add New Attribute Assertion section and set the following configurations:
Note: The Name value must match with the user-name value set during FortiGate configuration.
- Friendly Name – Set to username.
- Name – Set to username.
- Value – Set to mail.
- Name Format – Leave unspecified.
Click Save.

Test your application integration

Go to your FortiGate VPN URL.
For example, https://forti.example.com.
Alternatively, create a connection on Forticlient and click SAML Login.
You will be redirected to the Acceptto SSO page.
After successful authentication, select your preferred MFA method to approve access to the FortiGate VPN.
Finally, your connection to the FortiGate VPN is established.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: