FortiGate SSL VPN SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for FortiGate VPN users with its intelligent and convenient MFA.

Prerequisites

Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative access for FortiGate UTM.

FortiGate configuration

In this section, you'll configure FortiGate as a service provider.

Download the SAML metadata and certificate for your organization from Arculix.
Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert
Log in to your FortiGate UTM as an administrator.
Go to System > Certificates.
Click Create/Import and select Remote Certificate.
Click Add to upload the Arculix certificate downloaded in Step 1.

Log in to FortiGate via Secure Shell Protocol (SSH) and enter the following commands to configure it as a SAML Service Provider (SP):

FortiGate #config user saml

FortiGate (saml) #edit "<enter a unique name for the SAML configuration>"
//For example, edit "Arculix"

FortiGate #set cert "SP certificate that set on the SSL-VPN"
//For example, set cert "example.com.pfx"

FortiGate (Arculix) #set entity-id "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/metadata/"
//For example, set entity-id "https://forti.example.com:4443/remote/saml/metadata/"

FortiGate (Arculix) #set single-sign-on-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/login/"
//For example, set single-sign-on-url "https://forti.example.com:4443/remote/saml/login/"

FortiGate (Arculix) #set single-logout-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/logout/"
//For example, set single-logout-url "https://forti.example.com:4443/remote/saml/logout/"

FortiGate (Arculix) #set idp-entity-id "<entityID value from the Arculix metadata file>"
//For example, set idp-entity-id "https://sso.acceptto.com/<yourorganization>/saml"

FortiGate (Arculix) #set idp-single-sign-on-url "<SingleSignOn value from the Arculix metadata file>"
//For example, set idp-single-sign-on-url "https://sso.acceptto.com/<yourorganization>/saml/auth"

FortiGate (Arculix) #set idp-single-logout-url "<SingleLogout value from the Arculix metadata file>"
//For example, set idp-single-logout-url "https://sso.acceptto.com/<yourorganization>/saml/logout"

FortiGate (Arculix) #set idp-cert "Arculix certificate uploaded to FortiGate"
//For example, set idp-cert "REMOTE_Cert_1"

FortiGate (Arculix) #set user-name "enter value for user attribute mapping on IDP"
//For example, set user-name "username"

FortiGate (Arculix) #set digest-method sha1

FortiGate (Arculix) #next

FortiGate (saml) #endFortiGate (saml) #end

Note: Check your SAML configuration with the following command:

FortiGate #show user saml

Return to your FortiGate UTM admin portal and go to User & Authentication > User Group.
Click Create New and set the following configurations:
Name
Set to a unique name.
For example, saml-Arculix-group.
Type
Set to Firewall.
Remote Groups
Click Add and select the Arculix SAML configuration.
Click OK to save the configuration.
Go to Policy & Object > Firewall Policy and edit the policy related to your SSL-VPN.
Edit the Source field and add the User Group created in Step 8.
Click OK to save the configuration.
Go to VPN > SSL-VPN Settings.
In the Authentication/Portal Mapping section, click Create New.
Set the following configurations:
Users/Groups
Select the User Group created in Step 8.
Portal
Select the type of portal you are going to provide.
The options are: full-access, tunnel access, or web access.
Click OK.
Click Apply to save the configuration.
In the FortiGate console, change the authentication timeout to 60 seconds with the following commands:
```
config system global
set remoteauthtimeout 60
end
```

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for FortiGate and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.

In the New Application form, on the General tab, set the following configurations:

Name	Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs. For example, FortiGate.
Type	Set to SAML Service Provider.
Out of Band Methods	Select the allowed methods end users can choose to approve MFA requests. For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests	Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

Select the SAML Service Provider Configuration tab, and set the following configurations:

Issuer or Entity ID	Enter the same EntityID set during FortiGate configuration. For example, `https://forti.example.com:4443/remote/saml/metadata/`.
Log in URL	Enter the same Sign in URL set during FortiGate configuration. For example, `https://forti.example.com:4443/remote/saml/login/`.
NameID Format	Set to Email Address.
Name Identifier	Set to Email.
Single Logout URL	Enter the same Single Logout URL set during FortiGate configuration. For example, `https://forti.example.com:4443/remote/saml/logout/`.
Algorithm	Set to RSA-SHA1.

Go to the Add New Attribute Assertion section and set the following configurations:
Note
The Name value must match with the user-name value set during FortiGate configuration.
Friendly Name
Set to username.
Name
Set to username.
Value
Set to mail.
Name Format
Leave unspecified.
Save your changes.

Test your application integration

Go to your FortiGate VPN URL.
For example, https://forti.example.com.
Alternatively, create a connection on Forticlient and click SAML Login.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the FortiGate application.
Finally, your connection to the FortiGate VPN is established.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section:

Friendly Name	Set to username.
Name	Set to username.
Value	Set to mail.
Name Format	Leave unspecified.