FortiGate Firewall - SAML My Page SSO Configuration Using SSL VPN - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate SSL VPN with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate VPN SSL using My Page SSO.

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure  

  1. Sign in to the RSA Cloud Admin Console  > Access > My Page >My Applications.
  2. Navigate to Access > MY Page > My Application and ensure My Application is enabled.

  1. Sign in to the RSA Cloud Console > Applications > Applications Catalog > Create From Template > SAML Direct. And Select Cloud.

  1. In the Connection Profile section, select SP-initiated flow and enter the URL in the following format. 

 Note: The port can be different according to the configuration on the FortiGate, Access the FortiGate GUI > VPN > SSL-VPN Settings and check Listen on Port section to verify it.

  1. Enter the Connection URL: https://<FQDN or IP>:<SSLVPN port>/remote/login/

  1. In the Service Provider section, enter the following information. 
    1. ACS URL: https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
    2. Service Provider Entity ID: https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/

  1. In the Message Protection section, select to validate the SAML Request Signature.
  2. Select the certificate used by FortiGate for signing, which can be obtained directly from FortiGate. 

Note: If the certificate & key are uploaded or you want to use an existing certificate & key, access the FortiGate GUI > System > Certificates > Local Certificate and then download this certificate to import it into the RSA Cloud Console.

    1. In the SAML Response Protection section, you can select either to sign the SAML Assertion only or the entire SAML Response.

    Note: You can also overwrite the default certificate used for SAML Response signing. Do not use Encrypt Assertion as FortiGate doesn’t support it.

    1. In the User Identity section, set the Identifier type as unspecified and map it to mail/UPN/sAMAccountName. Also, you must return Assertion Attribute username which will be mapped to mail/UPN/ sAMAccountName. Send the groups the users are part of by sending the attribute named group which maps to virtualGroups.

    1. Click Next Step.
    2. In the User Access section, select the required policy, then click Next Step.

    1. In the Portal Display section, Disable Display in Portal checkbox. 

    Note: Ensure that Display in Portal is disabled as FortiGate does not support IdP initiated SAML SSO in SSL VPN.

    1. Click Save & Finish, and then Publish changes.

    1. Access the FortiGate via GUI and import the certificate retrieved from RSA Cloud Console to validate RSA SAML Response Signature. 
      1. Import Certificated fetched from RSA Cloud Console, go to System > Certificates > Create/Import then select Remote Certificate and click OK.

    1. Upload a certificate/key which will be used by FortiGate to sign the SAML Requests, you are required to use the existing self-signed certificates or automatically provision.
    2. Upload (PKCS12 format files or Certificate + Private key) or generate a CSR depending on your setup in the following format: 
      1. Go to System > Certificates > Create/Import > Certificate.

    1. Click Import Certificate , then select either PKCS12 or Certificate + Key File in the following example: 

    PKCS12 Example:

    1. Click Create.

    Certificate + Key Files Example:

    1. Import certificate in the RSA Cloud Console.
    2. Access the FortiGate via CLI and perform the following steps. 
    1. FEIRDUFG02 # config user saml
    2. FEIRDUFG02 (saml) # edit RSA_SecurID_Cloud
    3. new entry ‘RSA_SecurID_Cloud’ added
    4. FEIRDUFG02 (RSA_SecurID_Cloud) # set cert “This is the Certificate Name for the Fortigate to sign SAML Request”
    5. FEIRDUFG02 (RSA_SecurID_Cloud) # set entity-id https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/
    6. FEIRDUFG02 (RSA_SecurID_Cloud)) # set single-sign-on-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
    7. FEIRDUFG02 (RSA_SecurID_Cloud)) # set single-logout-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/logout/
    8. FEIRDUFG02 (RSA_SecurID_Cloud)) # set idp-entity-id “This is the RSA SSO URL”
    9. FEIRDUFG02 (RSA_SecurID_Cloud)) # set idp-single-sign-on-url “This is the RSA SSO URL”
    10. FEIRDUFG02 (RSA_SecurID_Cloud)) # set idp-cert “This is the Certificate name for validating RSA SAML Response”
    11. FEIRDUFG02 (RSA_SecurID_Cloud)) # set user-name username
    12. FEIRDUFG02 (RSA_SecurID_Cloud)) # set group-name group
    13. FEIRDUFG02 (RSA_SecurID_Cloud)) # end

    Notes:

    • FEIRDUFG02 (RSA_SecurID_Cloud) # set cert saml_sign.pem > This is the certificate that the FortiGate uses to sign the SAML Request. 
    • FEIRDUFG02 (RSA_SecurID_Cloud) # set idp-cert REMOTE_Cert_3  >This is the certificate that the FortiGate uses to verify the RSA SAML Response Signature.
    • RSA SSO URL: Both IdP-single-sign-on-url and IdP-entity-id  are the same and can be retrieved from the RSA Cloud Console > Applications > My Application > Your Application Name > Connection Profile.

    Sample Configuration:-

    config user saml

        edit "RSA_SecurID_Cloud"

            set cert "cert.pem"

            set entity-id "https://192.168.61.250:10443/remote/saml/metadata/"

            set single-sign-on-url "https:// 192.168.61.250:10443/remote/saml/login/"

            set single-logout-url "https:// 192.168.61.250:10443/remote/saml/logout/"

            set idp-entity-id "https://gs149.auth-demo.securid.com/sso/saml/3040dc4f-a747-42d9-9c1a-b6395a72503a"

            set idp-single-sign-on-url "https://gs149.auth-demo.securid.com/sso/saml/3040dc4f-a747-42d9-9c1a-b6395a72503a"

            set idp-cert "REMOTE_Cert_6"

            set user-name "username"

            set group-name "group"

        next

    end

    1. Configure a rule which you will have a User group that has SAML Server as an Authentication Server, so the SAML Flow starts effectively
    2. Go to FortiGate GUI > User & Authentication > User Groups.

    Note: You can match the returned group from RSA Cloud by clicking on the Remote Server above and specify the group you want to match, otherwise FortiGate will accept all groups by default.

    1.  Go to Policy & Objects > Create New to Configure a Policy.
    2. In the Source section, select the group that was created previously. 

    1. Go to VPN > SSL-VPN Settings > Authentication/Portal Mapping. 

    Note: Ensure using FortiClient VPN, the mentioned group above is mapped to the Tunnel Mode. By default, the full-access portal has both Tunnel-Mode and Web Mode enabled.

    1. Design specific groups access Tunnel-Mode which used FortClient and other groups to access only the Web-Mode.

    Configuration is complete.

    Return to the main page.

    Related Articles

    Trending Articles

    Don't see what you're looking for?