Fortinet VPN SAML Single Sign-on (SSO)

This topic describes how to connect your SSL-VPN Fortinet solution to CyberArk Identity using SAML. This enables you to inherit your existing Adaptive SSO and MFA for strong security.

Supported SSO methods

You can configure the following SSO methods:

Method Description
SP-initiated SAML SSO Configure SSO to enable your users to connect through Fortinet VPN client software.

Before you begin

Before you begin, make sure you have the following prerequisites:

  • FortiGate with FortiOS 6.4.0 or later

  • FortiClient or FortiClient VPN 6.4.0 or later

  • Access to the CyberArk Identity Admin Portal

  • Access to the FortiGate admin console or CLI

Before you configure the FortiGate SSL VPN web interface for SSO, make sure you have the following:

  • FortiGate Domain: https://fortigate. [your-domain-name].com

  • You have created a FortiGate admin and users for SSO

Configure CyberArk Identity SSO for Fortinet VPN

This sections describes how to configure SSO in the web interface.

Step 1: Add the Fortinet VPN app to the Identity Administration portal

  1. Go to Admin Portal > Apps > Web Apps and select Add Web Apps

  2. In the app catalog window, search for the Fortinet VPN app and select Add. Confirm that you want to add the application.

  3. Close the app catalog window to go to the Fortinet app configuration page.

Step 2: Configure the Fortinet VPN app for SSO

  1. Go to the Trust tab in the application pane

  2. From the Identity Provider Configuration > Manual Configuration section, download the signing certificate.

  3. In the Service Provider Configuration section, enter the following values:

    Element Description
    SP Entity ID or Issuer

    https://fortigate. [domain name.com]:[port number]/remote/saml/metadata/
    ACS URL

    https://fortigate. [domain name.com]:8443/remote/saml/login/

    Single logout service URL

    https://fortigate. [domain name.com]:8443/remote/saml/logout/

  4. Next, go to the SAML response tab

  5. Click Add to map the usernname attribute from your source directory to the Fortinet VPN app.

Step 3: Enable SAML in the Fortinet web interface

  1. Log in to your Fortinet VPN web interface as an Admin.

  2. Navigate to Users & Authentication > Single Sign-On and click Create.

  3. Enter a name.

  4. Enter the following values from the CyberArk Identity Admin Portal > Trust > Identity Provider Configuration section:

    • Entity ID

    • Assertion consumer service URL

      For the Fortinet web interface the ACS URL is the same as the Single Sign-On URL

      • Single sign-in logout service URL

  5. Under Certificate, click Create to upload the certificate you downloaded previously. This uploads the certificate to FortiGate as a remote certificate.

  6. Under Additional SAML attributes > Attribute used to identify users, add username.

Configure CyberArk Identity SSO for Fortinet VPN using the CLI

This section describes how to configure SSO using the Fortinet CLI. Earlier version of FortiOS may only support the CLI to configure SAML SSO.

Step 1: Configure the Fortigate as the SP

config user saml
      edit "fac-sslvpn"
          set entity-id "https://FQDN:PORT/remote/saml/metadata/""
          set single-sign-on-url "https://FQDN:PORT/saml/login/""
          set single-logout-url "https://FQDN:PORT/remote/saml/logout/""
          set idp-entity-id "CYBERARK IDENTITY IdP ENTITY ID/ISSUER"
          set idp-single-sign-on-url "CYBERARK IDENTITY SINGLE SIGN ON URL"
          set idp-single-logout-url "CYBERARK IDENTITY SINGLE LOG OUT URL"
          set idp-cert "REMOTE_Cert_3"
          set user-name "username"
      next
  end

Step 2: Add the SAML user to the user group 

config user group
    edit "saml_sslvpn"
        set member "cyberark_saml"
    next
end

Step 3: Configure SSL VPN

config vpn ssl settings
    set servercert "acme-cert"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "saml_sslvpn"
            set portal "full-access"
        next
    end
end

Step 4: Add the SAML user group to a firewall policy

config firewall policy
    edit 8
        set srcintf "ssl.vdom1"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "local" "saml_sslvpn"
        set nat enable
    next
end

Configure the FortiClient VPN

This section describes how to configure the FortiClient client for single sign-on.

In a managed FortiClient environment, this is configured in the FortiClient EMS console.

  1. In the FortiClient client, create a new SSL-VPN profile and enter the following values:

    Element Description
    Connection name

    Give the connection a meaningful name

    Remote gateway

    The public IP of the Fortigate firewall

  2. Select Customized port and enter the port number

  3. Select Enable Single Sign-on (SSO) for VPN Tunnel

Troubleshoot configurations

Use the following CLI commands to troubleshoot configuration issues:

Issue

CLI commands

Debug SAML Flow

diagnose debug reset #optional #diagnose debug application httpsd -1 diagnose debug application samld -1 diagnose debug console timestamp enable diagnose debug enable

Debug SSL VPN authentication

diagnose debug reset diagnose debug console timestamp enable diagnose debug application fnbamd -1 diagnose debug application authd -1 diagnose debug application sslvpn -1 diagnose debug enable

Additional resources