This section describes how to integrate FortiGate SSL VPN with RSA Cloud Authentication Service using SAML IDR SSO. 

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
2. Enter the IP address.
3. Enter the Shared Secret.

4. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate VPN SSL using SAML IDR SSO.

Perform these steps to configure RSA Cloud Authentication Service using SAML IDR SSO. 

Procedure  

1. Login to the RSA Cloud Console > Applications > Applications Catalog > Create from Template > SAML Direct. 
2. Select Identity Router.

3. In the Connection Profile section, select Redirect from the Binding Request section.
4. Select SP-initiated flow and enter the URL in the following format. 

 Note: The port can be different according to the configuration on the FortiGate, Access the FortiGate GUI > VPN > SSL-VPN Settings and check Listen on Port section to verify it.

5. Enter the Connection URL: https://<FQDN or IP>:<SSLVPN port>/remote/login/

6. In the Identity Provider section, select override as FortiGate does not accept the Identity String as it requires the full URL.

7. In the SAML Response Protection section, you can select either to sign the SAML Assertion only or the entire SAML Response.

Note: You can also overwrite the default certificate used for SAML Response signing. 

8. In the Service Provider section, enter the following information. 

1. 1. ACS URL: https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
   2. Service Provider Entity ID: https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/

9. Under Advanced Configuration, For the User Identity section, use the Identifier type as unspecified and map it to mail / userPrinicpalName / sAMAccountName . Also, you must return Assertion Attribute username which will be mapped to mail / userPrinicpalName / sAMAccountName. Send the groups the users are member of by sending the attribute named group which maps to virtualGroups.

10. You can select to sign the Entire SAML Response or only the Assertion.

Note: Do not use Encrypt Assertion, as FortiGate doesn’t support it.

11. In the Relay State Encoding section, set the the following fields.

12. Click Next Step.
13. In the User Access section, select the required policy, then click Next Step.

14. In the Portal Display section, Disable Display in Portal checkbox. 

Note: Ensure that Display in Portal is disabled as FortiGate does not support IdP initiated SAML SSO in SSL VPN.

15. Click Save & Finish, and then Publish changes.

16. Access the FortiGate via GUI and import the certificate retrieved  from RSA Cloud Console.
17. Go to System > Certificates, select Remote Certificate and select OK.

18. Access the FortiGate via CLI and perform the following steps: 

1. FEIRDUFG02 # config user saml
2. FEIRDUFG02 (saml) # edit RSA_SecurID_IDR
3. new entry ‘RSA_SecurID_IDR' added
4. FEIRDUFG02 (RSA_SecurID_IDR) # set entity-id https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/
5. FEIRDUFG02 (RSA_SecurID_IDR) # set single-sign-on-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
6. FEIRDUFG02 (RSA_SecurID_IDR) # set single-logout-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/logout/
7. FEIRDUFG02 (RSA_SecurID_IDR) # set idp-entity-id “This is the RSA SSO URL”
8. FEIRDUFG02 (RSA_SecurID_IDR) # set idp-single-sign-on-url “This is the RSA SSO URL”
9. FEIRDUFG02 (RSA_SecurID_IDR) # set idp-cert “This is the Certificate name for validating RSA SAML Response”
10. FEIRDUFG02 (RSA_SecurID_IDR) # set user-name username
11. FEIRDUFG02 (RSA_SecurID_IDR) # set group-name group
12. FEIRDUFG02 (RSA_SecurID_IDR) # end

Notes:

• FEIRDUFG02 (RSA_SecurID_IDR) # set idp-cert REMOTE_Cert_3  > This is the certificate the FortiGate uses to verify the RSA SAML Response Signature. 
• For RSA SSO URL: Both IdP-single-sign-on-url and IdP-entity-id  are the same and can be retrieved from the RSA Cloud Console. 

• To fetch the SSL VPN port]

Sample Configuration:-

config user saml

    edit "RSA_SecurID"

        set cert "test-lab"

        set entity-id "https://192.168.61.250:10443/remote/saml/metadata/"

        set single-sign-on-url "https://192.168.61.250:10443/remote/saml/login/"

        set single-logout-url "https://192.168.61.250:10443/remote/saml/logout/"

        set idp-entity-id "https://xeirduidr01.dawoud.com/IdPServlet?idp_id=avqpwg9r0lfr"

        set idp-single-sign-on-url "https://xeirduidr01.dawoud.com/IdPServlet?idp_id=avqpwg9r0lfr"

        set idp-cert "REMOTE_Cert_3"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

19. Configure a rule which you will have a User group that has SAML Server as an Authentication Server, so the SAML Flow starts effectively. 
20. Go to FortiGate GUI > User & Authentication > User Groups.

Note: You can match the returned group from RSA Cloud by clicking on the Remote Server above and specify the group you want to match, otherwise FortiGate will accept all groups by default. 

21. Go to Policy & Objects > Create New, and Configure a Policy.
22. In the Source section, select the group that was created previously.

23. Go to VPN > SSL-VPN Settings > Authentication/Portal Mapping. 

Note: Ensure using FortiClient VPN, the mentioned group above is mapped to the Tunnel Mode. By default, the full-access portal has both Tunnel-Mode and Web Mode enabled.

24. Design specific groups access Tunnel-Mode which used FortClient and other groups to access only the Web-Mode.

Configuration is complete.

Return to the main page.