This is definitely a bit of a tricky one and I think different environments are going to have different configurations, but I can explain what got it working right in my environment.
I wanted to have employees accessing the company VPN with 2 factor authentication. Since we are already an O365 shop with E3/F3s, it made sense to use the multi-factor authentication app we already had.
I had previously set up the FortiGate to use our internal DC's with LDAP to authenticate users when they accessed the VPN. The set up process is similar in some ways but a bit more involved. We are also running the 7.0.x version of FortiOS which is relevant as some options are not available for previous versions.
This can be done in the GUI or the CLI. I initially used the CLI, but now that I understand the options, the GUI is probably the way to go unless you have specific requirements. A lot of the info I will describe can be found here in Fortinet's documentation.
In the FortiGate: User & Authentication > Single Sign-On > Create New Will be where you configure the settings in the FortiGate. When creating a new single sign on, only some of the options are initially present. You can enter info from the steps later here, or enter dummy info and come back to edit it after being created.
In Azure: (Or Microsoft Entra admin center now) Applications > Enterprise Applications >New Application > FortiGate SSL VPN is the app that you will add to your Azure environment as the connector.
You'll want to have both screens open as we will be needed a lot of information going back and fourth between the two.
In the azure enterprise app configuration, selection "Single sign-on" to get to the set up page. You will want to download the SAML Certificate in Base64
Once downloaded you will import this certificate to the firewall.
- Sign in to the management portal of your FortiGate appliance.
- In the left pane, select System.
- Under System, select Certificates.
- Select Import > Remote Certificate.
- Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK.
After the certificate is uploaded, take note of its name under System > Certificates > Remote Certificate. By default, it will be named REMOTE_Cert_N, where N is an integer value.
Next, in Azure, you want to edit the Basic SAML Configuration.
- Identifier (Entity ID): https://fortigate_external_vpn_url:port/saml/metadata
- Reply URL (Assertion Consumer Service URL): https://fortigate_external_vpn_url:port/remote/saml/login/
- Sign on URL: https://fortigate_external_vpn_url:port/remote/saml/login/
- Relay State:
- Logout URL (Single Logout Service URL):
Once this data is entered in Azure, save the set up, and copy the urls that you configured, most of them will be passed directly into the FortiGate.
In the FortiGate, under Edit Single Sign-On, under Service Provider Configuration, you'll enter the Entity ID, Assertion consumer service UR, and the Single logout service URL in their respective fields.
Under the "Identity Provider Configuration" you'll select Type as custom and enter in the information from the azure applications 4th section "Set up FortiGate SSL VPN"
- Login URL -> Assertion consumer service URL
- Azure AD Identifier -> Entity ID
- Logout URL -> Single logout service URL
Select the remote certificate imported earlier in the certificate dropdown.
SAML Attribute claims are up to you. However, I set mine up to be based on a users security group memberships.
- Attribute used to identify users: name
- Attribute used to identify groups: group
And in the corresponding section in Azure, #2 "Attributes & Claims" :
After this has been set up you should be ready to test. Keep in mind that the setup for VPN authentication is much the same as you had done for LDAP authentication or local group authentication. In FortiGate this means:
- Defining the group in User & Authentication > User Groups (When creating the group, you must enter the name of the security group that the user will have to be a part of to be associated with that group)
- Defining a portal the group will access in VPN > SSL-VPN Portals
- Mapping the group to a portal in VPN > SSL-VPN Settings
- Creating a firewall policy in Policy & Objects > Firewall Policy that will dictate the from as the SSL VPN IP Range to the desired VLANS/Subnets, the source as the group previously defined.
Assuming all that is set correctly you should have a working SSO connection. I also made the addition of a conditional access policy in Azure that says if you log in via this Enterprise app then you are required to use 2FA even if you would normally not be required to.
Hopefully that got you up and running. If not, here are some additional resources that helped when getting this set up: