FortiGate Firewall - SAML Relying Party Configuration Using SSL VPN - RSA Ready Implementation Guide
a year ago

This section describes how to integrate FortiGate SSL VPN with RSA Cloud Authentication Service using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service.

Procedure

  1. In the RSA Cloud Authentication Service section, go to RSA Cloud Tenant Admin GUI > Authentication Clients > RADIUS > Add RADIUS Clients and Profiles.
  2. Enter the IP address.
  3. Enter the Shared Secret.

  1. Disable the Message Authenticator attribute checkbox, as FortiGate doesn’t send authentication request with this attribute.

Note: Enter the rest of the configuration according to the required set up. 

Configuration is complete.

Configure FortiGate VPN SSL using SAML Relying Party. 

Perform these steps to configure RSA Cloud Authentication Service using SAML Relying Party.

Procedure  

  1. Log in to the RSA Cloud Console > Authentication Clients > Relying Parties > Add a Relying Party > Service Provider.

  1. In the Authentication Section, select SecurID manages all authentication.

  1. In the Connection Profile section, enter the URL in following format. 

 Note: The port can be different according to the configuration on the FortiGate, Access the FortiGate GUI > VPN > SSL-VPN Settings and check Listen on Port section to verify it.

  1. In the Service Provider section, enter the following information.
    1. ACS URL: https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
    2. Service Provider Entity ID: https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/

  1. In the Message Protection section, select to validate the SAML Request Signature.
  2. Select the certificate used by FortiGate for signing, which can be obtained directly from FortiGate. 

Note: If the certificate & key are uploaded or you want to use an existing certificate & key, access the FortiGate GUI > System Certificates > Local Certificate and then download this certificate to import it into the RSA Cloud Console.

    1. In the SAML Response Protection section, you can select either to sign the SAML Assertion only or the entire SAML Response.

    1. In the User Identity section, enter the Identifier type as unspecified and map it to mail / userPrincipalName / sAMAccountName . Also, you must return Assertion Attribute username which will be mapped to mail / userPrincipalName / sAMAccountName. Send the groups the users are part of by sending the attribute named group which maps to virtualGroups.

    1. Access the FortiGate via GUI and import the certificate retrieved from RSA Cloud Console to validate RSA SAML Response Signature. 
      1. Import Certificated fetched from RSA Cloud Console, go to System > Certificates > Create/Import then select Remote Certificate and click OK.

    1. Upload a certificate/key which will be used by FortiGate to sign the SAML Requests, you are required to use the existing self-signed certificates or automatically provision.
    2. Upload (PKCS12 format files or Certificate + Private key) or generate a CSR depending on your setup in the following format: 
      1. Go to System > Certificates > Create/Import > Certificate.

    1. Click Import Certificate , then select either PKCS12 or Certificate + Key File in the following example: 

    PKCS12 Example:

    1. Click Create.

    Certificate + Key Files Example:

    1. Import certificate in the RSA Cloud Console.
    2. Access the FortiGate via CLI and perform the following steps. 
    1. FEIRDUFG02 # config user saml
    2. FEIRDUFG02 (saml) # edit RSA_SecurID_Relying_Party
    3. new entry 'RSA_SecurID_Relying_Party' added
    4. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set cert “This is the Certificate Name for the Fortigate to sign SAML Request”
    5. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set entity-id https://<FQDN or IP>:<SSLVPN port>/remote/saml/metadata/
    6. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set single-sign-on-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/login/
    7. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set single-logout-url https://<FQDN or IP>:<SSLVPN port>/remote/saml/logout/
    8. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set idp-entity-id “This is the RSA SSO URL”
    9. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set idp-single-sign-on-url “This is the RSA SSO URL”
    10. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set idp-cert “This is the Certificate name for validating RSA SAML Response”
    11. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set user-name username
    12. FEIRDUFG02 (RSA_SecurID_Rely~rty) # set group-name group
    13. FEIRDUFG02 (RSA_SecurID_Rely~rty) # end

    Notes:

    • FEIRDUFG02 (RSA_SecurID_Rely~rty) # set cert saml_sign.pem > This is the certificate that the FortiGate will use to sign the SAML Request.
    • FEIRDUFG02 (RSA_SecurID_Rely~rty) # set idp-cert REMOTE_Cert_2  >This is the certificate that the FortiGate will use to verify the RSA SAML Response Signature. 
    • RSA SSO URL:- Both IdP-single-sign-on-url and IdP-entity-id  are the same and can be fetched from the RSA Cloud Console > Authentication Clients > Relying Party > Your Application Name > Connection Profile.

    • To retrieve the SSL VPN port.

    Sample Configuration:-

    config user saml

        edit "RSA_SecurID"

            set cert "test-lab"

            set entity-id "https://192.168.61.250:10443/remote/saml/metadata/"

            set single-sign-on-url "https://192.168.61.250:10443/remote/saml/login/"

            set single-logout-url "https://192.168.61.250:10443/remote/saml/logout/"

            set idp-entity-id " https://gs149.auth-demo.securid.com/saml-fe/sso/sslvpn "

            set idp-single-sign-on-url " https://gs149.auth-demo.securid.com/saml-fe/sso/sslvpn "

            set idp-cert "REMOTE_Cert_3"

            set user-name "username"

            set group-name "group"

            set digest-method sha1

        next

    end

    1. In order for SAML Flow to start & work, you need to configure a rule where you will have a User group that has SAML Server as an Authentication Server for it. You can start by going to Fortigate GUI > User & Authentication > User Groups.

    Note: You can match the returned group from RSA Cloud by clicking on the Remote Server above and specify the group you want to match, otherwise FortiGate will accept all groups by default.

    1.  Go to Policy & Objects > Create New to Configure a Policy.
    2. In the Source section, select the group that was created previously. 

    1. Go to VPN > SSL-VPN Settings > Authentication/Portal Mapping. 

    Note: Ensure using FortiClient VPN, the mentioned group above is mapped to the Tunnel Mode. By default, the full-access portal has both Tunnel-Mode and Web Mode enabled.

    1. Design specific groups access Tunnel-Mode which used FortClient and other groups to access only the Web-Mode.

    Configuration is complete.

    Return to the main page.

    Related Articles

    Trending Articles

    Don't see what you're looking for?