This article describes how to configure AD-FS SAML authentication for Dial-up IPsec VPN.
FortiGate v7.2.0 or later and FortiClient v7.2.4 or later.
FortiClient v7.2.4 or later supports SAML authentication for Dial-up IPsec VPN users when IKEv2 is in use.
The first step is to download the ADFS Token signing certificate, access ADFS from Server Manager -> Tools -> AD FS Management, and navigate to AD FS -> Certificates.
Right-click on the Token-signing certificate and select View Certificate.
Select the details tab and select Copy to File, then save it.
Import this certificate into FortiGate by navigating to System -> Certificates:
Configuration on FortiGate:
config sys global
set auth-ike-saml-port 9443
end
config user setting
set auth-cert "Fortinet_Factory"
end
config user saml
edit "saml-adfs"
set cert "homegate.abc.xyz"
set entity-id "http://homegate.abc.xyz:9443/remote/saml/metadata/"
set single-sign-on-url "https://homegate.abc.xyz:9443/remote/saml/login"
set single-logout-url "https://homegate.abc.xyz:9443/remote/saml/logout"
set idp-entity-id "http://adfs.abc.xyz/adfs/services/trust"
set idp-single-sign-on-url "https://adfs.abc.xyz/adfs/ls"
set idp-single-logout-url "https://adfs.abc.xyz/adfs/ls?wa=wsignout1.0"
set idp-cert "REMOTE_Cert_5"
set user-name "username"
set group-name "Group"
set digest-method sha1
next
end
config system interface
edit "vlan_20"
set ike-saml-server "saml-adfs"
next
end
config user group
edit "ike-saml-auth"
set member "saml-adfs"
next
end
config vpn ipsec phase1-interface
edit "saml_vpn"
set type dynamic
set interface "vlan_20"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "ike-saml-auth"
set ipv4-start-ip 192.168.255.1
set ipv4-end-ip 192.168.255.255
set dns-mode auto
set psksecret ENC xxxxxxxxxxxx
set dpd-retryinterval 60
next
end
Configuration on ADFS:
Open ADFS from Server Manager -> Tools -> AD FS Management and navigate to Relying Party Trusts. Right-click on it and select Add Relying Party Trust.
In the Add Relying Party Trust Wizard, select Claims aware as shown in the below screenshot:
Under Select Data Source, choose Enter data about the relying party manually:
Under Configure Certificate, add the SP certificate used in the SAML configuration on FortiGate:
Under Configure URL, add SP’s single-sign-on-url:
Under Configure Identifiers, add SP’s entity-id url.
At the end, select 'configure claims issuance policy for this application'.
Now, under the claim issue policy, add the following rule:
Right-click on the newly added relying party and select properties.
Under the Endpoints tab, add the single-logout-url as shown below:
Under the Signature tab, add the SP certificate.
Under the Advanced tab, change secure hash algorithm to SHA1.
Test ADFS SAML authentication:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.