Technical Tip: Configuring SAML SSO login for SSL VPN web mode with AWS as SAML IdP

Description

 

This article describes how to set up both AWS SSO and FortiGate for SAML SSO for web mode SSL VPN with FortiGate acting as SP.

 

 

Scope

 

FortiOS v6.2 or above.

 

 

Solution

 

Configuring the AWS SSO account IDP application.

 

1) Set up an AWS account.

2) Open a browser, log in to the AWS account, and enable AWS SSO. If AWS Organizations is not setup, there will be a prompt to create an organization. Choose 'Create AWS organization' to complete this process.

 

3) Head over to ‘Users’ and select ‘Add user’.

 

 

Enter the details for Username, Email address, and First Name.

 

Select ‘Next’.

Optionally, add the user to a group.

 

Review and Select ‘Add user’.

 

4) Go to the 'Applications' and select 'Add a new application'.

 

 

5) Select ‘Add a custom SAML 2.0 application’

 

6) Enter the Display name. The 'Display name' is the name of the portal the user logs into.

 

Set the Application start URL: https://<Public_IP:PORT>

Select 'If you don't have a metadata file, you can manually type your metadata values'.

Set the Application ACS URL: https://<Public_IP:PORT>/remote/saml/login

Set the Application SAML audience: https://<Public_IP:PORT>/remote/saml/metadata 

 

 

 

Copy the following items to a text editor as these will be required to configure the FortiGate SAML:

 

AWS SSO sign-in URL: https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>

 

AWS SSO sign-out URL: https://portal.sso.us-east-1.amazonaws.com/saml/logout/ <truncated>

 

AWS SSO issuer URL: https://portal.sso.us-east-1.amazonaws.com/saml/assertion  <truncated>

 

Select 'Download Certificate'. This will be imported to FortiGate later.

 

Select ‘Save changes’.

7) Go to the ‘Attribute mappings’ tab.

These are the values that will be passed on to the FortiGate by the AWS SSO.

 

Configure the values as required. A sample configuration is provided below:

 

 

Note.

In this case, the 'username' attribute will be used as the SSL VPN user-name on FortiGate (will be seen in later FortiGate configuration).

 

Other mappings are also available that can be used. Refer to the AWS docs:

https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html

 

8 ) Additionally, a group attribute value can also be passed on FortiGate.

This is optional and is needed only if performing group matching based on group membership of AWS users on FortiGate is intended.

 

Note.

In this case, the 'group' attribute will be used as the SSL VPN grou- name on FortiGate (will be seen in later FortiGate configuration).

Copy the 'Group ID' to a text editor as these will be required to configure the FortiGate Group:

 

9) Go to the ‘Assigned users’ tab.

 

Select ‘Assign users’.

 

 

Select all the desired Users/Groups and Select ‘Assign users’.

 

 

Configuring the FortiGate for SSL VPN and as SP.

1) Upload the AWS certificate as a 'Remote certificate' on FortiGate as Remote Certificate:

 

 

2) Setup SAML as below:

 

# config user saml

    edit "aws"

        set entity-id "https://<Public_IP:Port>/remote/saml/metadata" <--- Same as setup on AWS

        set single-sign-on-url "https://<Public_IP:Port>/remote/saml/login" <--- Same as setup on AWS

        set single-logout-url "https://<Public_IP:Port>/remote/saml/logout" <--- Same as setup on AWS

        set idp-entity-id "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>" <--- AWS SSO issuer URL

        set idp-single-sign-on-url "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/ <truncated>" <--- AWS SSO sign-in URL

        set idp-single-logout-url "https://portal.sso.us-east-1.amazonaws.com/saml/logout/ <truncated>" <--- AWS SSO sign-out URL

        set idp-cert "Remote_Cert_1"

        set user-name "username" <--- Same as the user-name attribute parameter configured on AWS.
        set group-name "group" <--- Same as the group-name attribute parameter configured on AWS.

        set digest-method sha1

    next

end

 

3) Create a user group as below on FortiGate.

# config user group

    edit "aws-saml-vpn"

        set member "aws"

        config match
            edit 1
                set server-name "aws"
                set group-name "90674ed8ce-899577e3-8042-4fe3-ba65-99955f1912c1" <--- Same as the Group-ID value of the AWS GROUP.
            next
        end

    next

end

 

4) Complete the SSL VPN configuration.

# config vpn ssl settings

    set servercert "self-sign"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    set source-interface "wan1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "web-access"

    config authentication-rule

        edit 1

            set groups "aws-saml-vpn"

            set portal "full-access"

        next

    end

end

# config firewall polic

    edit 1

        set name "aws-SSLVPN"

        set srcintf "ssl.root"

        set dstintf "lan"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "aws-saml-vpn"

    next

end

 

Testing SSL VPN.

1) Connect to the SSL VPN portal and select 'Single Sign-On'.

2) Enter the AWS credentials and it will redirect to the SSL VPN page.

 

On FortiGate verify by going to Dashboard > Network > SSL VPN Monitor: