Skip to main content

FortiGate SSL VPN SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for FortiGate VPN users with its intelligent and convenient MFA.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • FortiGate UTM user account with administrative access

  • User account with administrative privileges for Arculix.

FortiGate configuration

In this section, you'll configure FortiGate as a service provider.

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.arculix.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.arculix.com/<myorganization>/saml/metadata

    Certificate download: https://sso.arculix.com/<myorganization>/saml/download/cert

  2. Log in to your FortiGate UTM as an administrator.

  3. Go to System > Certificates.

    FortiGate certificates
  4. Click Create/Import and select Remote Certificate.

    Add Remote Certificate
  5. Click Add to upload the Arculix certificate downloaded in Step 1.

  6. Log in to FortiGate via Secure Shell Protocol (SSH) and enter the following commands to configure it as a SAML Service Provider (SP):

    FortiGate #config user saml
    FortiGate (saml) #edit "<enter a unique name for the SAML configuration>"
    //For example, edit "Arculix"
    FortiGate #set cert "SP certificate that set on the SSL-VPN"
    //For example, set cert "example.com.pfx"
    FortiGate (Arculix) #set entity-id "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/metadata/"
    //For example, set entity-id "https://forti.example.com:4443/remote/saml/metadata/"
    FortiGate (Arculix) #set single-sign-on-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/login/"
    //For example, set single-sign-on-url "https://forti.example.com:4443/remote/saml/login/"
    FortiGate (Arculix) #set single-logout-url "https://<FortiGate external IP address>:<SSL-VPN configured port number>/remote/saml/logout/"
    //For example, set single-logout-url "https://forti.example.com:4443/remote/saml/logout/"
    FortiGate (Arculix) #set idp-entity-id "<entityID value from the Arculix metadata file>"
    //For example, set idp-entity-id "https://sso.arculix.com/<yourorganization>/saml"
    FortiGate (Arculix) #set idp-single-sign-on-url "<SingleSignOn value from the Arculix metadata file>"
    //For example, set idp-single-sign-on-url "https://sso.arculix.com/<yourorganization>/saml/auth"
    FortiGate (Arculix) #set idp-single-logout-url "<SingleLogout value from the Arculix metadata file>"
    //For example, set idp-single-logout-url "https://sso.arculix.com/<yourorganization>/saml/logout"
    FortiGate (Arculix) #set idp-cert "Arculix certificate uploaded to FortiGate"
    //For example, set idp-cert "REMOTE_Cert_1"
    FortiGate (Arculix) #set user-name "enter value for user attribute mapping on IDP"
    //For example, set user-name "username"
    FortiGate (Arculix) #set digest-method sha1
    FortiGate (Arculix) #next
    FortiGate (saml) #endFortiGate (saml) #end

    Note: Check your SAML configuration with the following command:

    FortiGate #show user saml
  7. Return to your FortiGate UTM admin portal and go to User & Authentication > User Group.

    User Groups
  8. Click Create New and set the following configurations:

    Name

    Set to a unique name.

    For example, saml-Arculix-group.

    Type

    Set to Firewall.

    Remote Groups

    Click Add and select the Arculix SAML configuration.

    Add User Groups
  9. Click OK to save the configuration.

  10. Go to Policy & Object > Firewall Policy and edit the policy related to your SSL-VPN.

    Firewall policy
  11. Edit the Source field and add the User Group created in Step 8.

    Edit firewall policy
  12. Click OK to save the configuration.

  13. Go to VPN > SSL-VPN Settings.

    SSL-VPN settings
  14. In the Authentication/Portal Mapping section, click Create New.

  15. Set the following configurations:

    Users/Groups

    Select the User Group created in Step 8.

    Portal

    Select the type of portal you are going to provide.

    The options are: full-access, tunnel access, or web access.

    New portal mapping
  16. Click OK.

  17. Click Apply to save the configuration.

  18. In the FortiGate console, change the authentication timeout to 60 seconds with the following commands:

    config system global
    set remoteauthtimeout 60
    end

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for FortiGate and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, FortiGate.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_fortigate.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID

    Enter the same EntityID set during FortiGate configuration.

    For example, https://forti.example.com:4443/remote/saml/metadata/.

    Log in URL

    Enter the same Sign in URL set during FortiGate configuration.

    For example, https://forti.example.com:4443/remote/saml/login/.

    NameID Format

    Set to Email Address.

    Name Identifier

    Set to Email.

    Single Logout URL

    Enter the same Single Logout URL set during FortiGate configuration.

    For example, https://forti.example.com:4443/remote/saml/logout/.

    Algorithm

    Set to RSA-SHA1.

    arculix_fortigate_saml_settings.png
  5. Go to the Add New Attribute Assertion section and set the following configurations:

    Note

    The Name value must match with the user-name value set during FortiGate configuration.

    Friendly Name

    Set to username.

    Name

    Set to username.

    Value

    Set to mail.

    Name Format

    Leave unspecified.

    arculix_attribute_fortigate.png
  6. Save your changes.

Test your application integration

  1. Go to your FortiGate VPN URL.

    For example, https://forti.example.com.

    Edit VPN connection

    Alternatively, create a connection on Forticlient and click SAML Login.

    FortiClient SAML login
  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the FortiGate application.

    Select an authenticator
  4. Finally, your connection to the FortiGate VPN is established.

    FortiGate VPN connected

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.