Technical Tip: Configuring SAML SSO login for SSL VPN with Jumpcloud acting as SAML IdP

lestopace · ‎03-08-2021

Description
This article describes how to setup both Jumpcloud and FortiGate for SAML SSO for SSL VPN with FortiGate acting as SP.

The main purpose is to provide Windows users with Single Sign-On (SSO) access.

Solution
Configuration On FortiGate.

# config user saml
    edit "jumpcloud"
        set cert "Fortinet_Factory"
        set entity-id "https://lem.fortiddns.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://lem.fortiddns.com:10443/remote/saml/login/"
        set single-logout-url "https://lem.fortiddns.com:10443/remote/saml/logout/"
        set idp-entity-id "https://sso.jumpcloud.com/saml2/saml2/JumpCloudLem"
        set idp-single-sign-on-url "https://sso.jumpcloud.com/saml2/saml2"
        set idp-single-logout-url "https://console.jumpcloud.com/userconsole"
        set idp-cert "REMOTE_Cert_2"
        set user-name "email"
    next
end
# config user group
    edit "jumpcloud_grp"
        set member "jumpcloud"
    next
end

Note.
In this example, email attribute has been used but there is an option to use other attributes like username, first name, last name, and etc.

Configuration On Jumpcloud.

1) Login to Jumpcloud portal then go to SSO -> ‘+’ button -> Custom SAML App.

2) Fill in the 'Display Label' and update the logo and color indicator as to preference then select 'Single Sign-on Configuration'.

3) Fill in the IdP Entity ID.

Afterwards, update the SP Entity ID and ACS URL fields as configured from FortiGate user SAML setting’s entity-id and single-sign-on-url, respectivtely.

Upload the FortiGate’s Fortinet_Factory certificate which can be downloaded from GUI: System -> Certificates -> Local Certificates -> Fortinet_Factory.

Note.
IdP Entity ID is the unique, case-sensitive identifier used by JumpCloud for this service provider.

Ensure that the value enteedr matches the Identity Provider Entity ID configured on the service provider's SSO configuration page.

4) Set SAML Subject NameID as email and SAML Subject NameID Format as:

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Fill in the Default Relay State using the FortiGate’s single-sign-on-url and Login URL field using the following format.

This will be used when the user decided to login again from Jumpcloud portal.

https://<Fully_Qualified_Domain_Name>:<port number>/remote/saml/start?realm=

5) Under User Attributes, set the 'Service Provider Attribute Name' as email and JumpCloud Attribute Name as email then go to User Groups tab.

6) Select the groups to allow them to connect to SSLVPN then select 'Activate'.

Note.
After activation, Jumpcloud will create a public certificate.

Select 'Download Certificate' then upload it to FortiGate as Remote Certificate which can be found from GUI: System -> Certificates -> Import -> Remote Certificate.

This was the certificate that was used on 'idp-cert' section, under config user SAML settings on FortiGate.

Testing SSL VPN Web-mode.

1) Enter the SSL VPN URL in the browser and select 'Single Sign-On'.

2) Login the Jumpcloud credential and it will redirect to SSL Web Portal page.

# get vpn ssl monitor

SSL VPN Login Users:

Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth 0 support@fortinet.com jumpcloud_grp 256(1) N/A 211.24.155.98 0/0 0/0 0

SSL VPN sessions:

Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP

3) Logout from SSL-VPN Portal.It will redirect on Jumpcloud’s console.

There is the option to sign in back again automatically by selecting Fortinet application.

Alternatively, it is possibl to login via Jumpcloud portal at https://console.jumpcloud.com/userconsole and access FortiGate SSLVPN from there.