How to configure FortiClient SSL VPN SSO with Azure AD. In this comprehensive blog post, we’ll explore two crucial steps: First, we’ll delve into setting up Azure Enterprise Application, providing you with a solid foundation. Then, we’ll guide you through the intricate process of implementing Single Sign-On (SSO) on FortiGate, ensuring a seamless and secure user authentication experience. By the end of this tutorial, you’ll have a robust, integrated VPN solution, empowering your organization with top-notch cybersecurity. Let’s dive in and fortify your network defenses!
Table of Contents
What are we going to set up?
In the first step, we will create a new enterprise application in Entra/Azure. During this process, we will directly configure important parameters for SAML sign-in. In the second step, we will configure Single Sign-On (SSO) on the FortiGate. In the third step, we will create a group in Azure Active Directory (AAD) and add it to the FortiGate. This allows us to use the group from AAD directly in the policies on the FortiGate. In the final step, we will add a new user.
Setup Azure Enterprise Application
We first need to create an Enterprise Application for the FortiClient SSL VPN SSO. Follow these steps:
- Navigate to https://entra.microsoft.com/
- Click on Identity
- Click on Applications
- Click on Enterprise applications
- Click on New application
- Search for FortiGate
- Click on the FortiGate SSL VPN application
- Click on Create
- The application will be added. This can take a minute.
- Click on the newly generated application FortiGate SSL VPN
- Click on Single sign-on
- Click on SAML
- Click on Edit on the Basic SAML Configuration
In the SAML setting we need to define the following settings. Just modify the Green Parts from the URL below:
- Identifier (Entity ID):
- https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/metadata
-
- https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login
- Sign on URL
- https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login
- Logout Url (Optional)
- https://<FortiGate IP or FQDN address>:<Custom SSL VPN port><FQDN>/remote/saml/logout
In the picture i used the fortigate.fortiddns.com FQDN and an custom Port 10443.
- Click on Save
- Click on Edit from the Attributes & Claims
- Click on Add new claim
- In Name enter username
- In Source attribute enter user.userprincipalname
- Click on Save
- Click on Add a group claim
- Click on All groups
- In the Advanced options tick the Customize the name of the group claim
- In the Name enter group
- Go back to the application Single sign-on
- On the SAML Certificates Download the Certificate (Base64). We need this file in step 2.
- The Login URL / Microsoft Entra ID Identifier and Logout URL we need in step 2.
Setup SSO on FortiGate
First we are going to upload the Base64 SAML certificate to the FortiGate.
- Connect and Login to the FortiGate Management Interface
- Navigate to System
- Under System, select Certificates
- Select Import > Remote Certificate
- Click on Upload
- Browse to the Base64 certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK
- Go check on the Certificates page. There should be a new Certificate under Remote Certificate. Note down the name of the Certificate. By default, it will be named REMOTE_Cert_N, where N is an integer value.
Although you can configure SSO from the GUI since FortiOS 7.0, the CLI configurations apply to all versions and are therefore shown here.
- On the GUI click on the CLI Console
See the command below. We just need to fill out the right Information of the Green text. For every Red number there is a short descriptions where you can find the Information.
Just enter the Command one by one.
config user saml edit azure set cert <FortiGate VPN Server Certificate Name [1]> set entity-id <Identifier (Entity ID)Entity ID [2]> set single-sign-on-url <Reply URL Reply URL [3]> set single-logout-url <Logout URL [4]> set idp-entity-id <Azure AD Identifier [5]> set idp-single-sign-on-url <Azure Login URL [6]> set idp-single-logout-url <Azure Logout URL [7]> set idp-cert <Base64 SAML Certificate Name [8]> set user-name username set group-name group next end
For [1] connect to your FortiGate Management Interface
- Navigate to VPN > SSL-VPN Settings
- Copy the name of the Server Certificate. Default Certificate is called Fortinet_Factory.
For [2], [3],[4], [5], [6] and [7]we need to get the Information from the Enterprise application on Microsoft Entra.
- Go to https://entra.microsoft.com/
- Click on Application
- Click on Enterprise applications
- Click on the created application from Step 1 (FortiGate SSL VPN)
- Click on Single sign-on
- There we need the information from the Basic SAML Configuration and Set up FortiGate SSL VPN
For [8] enter the Name of the Remote Certificate which we have uploaded to the FortiGate.
- Connect to the FortiGate Management Interface
- Click on System
- Click on Certificates
- Go down to Remote Certificate
In the end, you have entered something like this:
config user saml
edit azure
set cert Fortinet_Factory
set entity-id "https://fortigate.fortiddns.com:10443/remote/saml/metadata"
set single-sign-on-url "https://fortigate.fortiddns.com:10443/remote/saml/login"
set single-logout-url "https://fortigate.fortiddns.com:10443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/38a0dedb-xxxxx-xxxxxx-xxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxx-xxxxxxx-xxxxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxxx/saml2"
set idp-cert REMOTE_CERT_1
set user-name username
set group-name group
next
end
Congratulations! You have finished with the FortiGate SSO Setup. Now go to Step 3
Setup FortiGate group matching
In this section we are going to create a Security Group on Azure and Connect the Group to the FortiGate. This allows us to define, who can access the FortiClient connection.
Follow these steps to create a Security Group.
- Go to https://entra.microsoft.com/
- Click on Groups
- Click on All groups
- Click on New group
- Group type Security
- Group name FortiGateAccess
- Click on Create
- Click on the newly created Security Group FortiGateAccess
- Go to the Overview page and copy the Object id. We need this in the next step.
Now we are going to integrate the security group in to the FortiGate.
- Connect to the FortiGate management interface
- Open the CLI Console
- Enter the following Command. In the green spot enter the copied Object Id of the security group.
config user group
edit FortiGateAccess
set member azure
config match
edit 1
set server-name azure
set group-name <Object Id [1]>
next
end
next
end
Copy the Object Id of the newly created security group FortiGateAccess.
Use this group to allow users to connect to the Forticlient. Add this group to your SSL-VPN settings and to your firewall policy if applicable.
Add User
To add a user you need to add them to the FortiGateAccess security group and as member in the FortiGate SSL VPN enterprise application.
The setup of the Forticlient SSO is now finished. Users can now use their Microsoft Account for logging in to their Forticlient connection.
Hello, do I need a license on the ms side for this process? I already have a hybrid environment, can we configure it without getting an extra license?
Hi Gokhan
Thanks for your comment. Yes that is correct. You dont need an extra license for it.
Kind regards
Max