| Description |
This article describes how SAML user authentication is done with FortiGate acting as a transparent web proxy using Microsoft Azure as IdP. |
| Scope | FortiOS 7.0+, SAML, Microsoft Azure IDP. |
| Solution |
For the SAML background, visit the following link: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/447498/saml-authentication-in-a-prox....
In this Article, SAML authentication is used with a transparent web proxy. The IdP is the Microsoft Azure.
The port2 IP address is 11.0.0.1 & Windows Machine IP address is 11.0.0.10. The authentication and authorization flow is as follows:
1) The client opens a browser and visits https://www.google.com. 2) The browser is redirected by the web proxy. 3) The request is redirected to the IdP's sign-in page. 4) If the user signs in, the IdP authenticates the user and sends back a SAML assertion message to the FortiGate with the user group information. 5) If all policy criteria match successfully, then the webpage is returned to the client.
1) To configure SAML authentication with a Transparent web proxy:
# config system interface edit "port2" set vdom "root" set ip 11.0.0.1 255.255.255.0 set allowaccess ping https http set type physical set netflow-sampler both set proxy-captive-portal enable set device-identification enable set snmp-index 2 next end
2) Configure SAML.
FGVM (saml) # show # config user saml edit "proxy_transparent" set cert "Fortinet_Factory" set entity-id "https://11.0.0.1:7831/XX/YY/ZZ/saml/metadata/" set single-sign-on-url "https://11.0.0.1:7831/XX/YY/ZZ/saml/login" set single-logout-url "https://11.0.0.1:7831/XX/YY/ZZ/saml/logout" set idp-entity-id "https://sts.windows.net/-726a919b175d/" set idp-single-sign-on-url "https://login.microsoftonline.com/-726a919b175d/saml2" set idp-single-logout-url "https://login.microsoftonline.com/-726a919b175d/saml2" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" set digest-method sha1 next end
3) Configure Group.
FGVM (group) # show # config user group edit "Development_group" set member "proxy_transparent" # config match edit 1 set server-name "proxy_transparent" set group-name "8cd85213-773b-46dc-afd3-5cc8edcfc180" next end next end
4) Configure the authentication scheme, rule, and setting:
# config authentication scheme edit "Azure-SAML-TransparentProxy" set method saml set saml-server "proxy_transparent" next end
# config authentication rule edit "Proxy_Auth_Rule" set srcintf "port2" set srcaddr "all" set active-auth-method "Azure-SAML-TransparentProxy" next end
# config authentication setting set update-time 2023-04-24 12:42:10 set captive-portal-type ip set captive-portal-ip 11.0.0.1 end
5) Configure Proxy-policy:
FGVM (proxy-policy) # show # config firewall proxy-policy edit 1 set uuid 6c4c44cc-e2b9-51ed-90c3-f5640941f5f4 set name "proxy-policy-transparent" set proxy transparent-web set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "aadcdn.msauth.net" "aadcdn.msftauth.net" "login.microsoftonline.com" "sts.windows.net" set service "webproxy" set action accept set schedule "always" set logtraffic all set ssl-ssh-profile "certificate-inspection" next edit 2 set uuid 352e07b6-e2d5-51ed-5c4f-382056d791c7 set name "Group_Policy" set proxy transparent-web set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set service "webproxy" set action accept set schedule "always" set logtraffic all set groups "Development_group" <- set ssl-ssh-profile "certificate-inspection" next end
END result: When a user goes to www.google.com in a browser that is configured to use FortiGate as a proxy, the IdP sign-in page appears, and the user needs to provide the credentials.
FGVM # diagnose wad user list
ID: 1, VDOM: root, IPv4: 11.0.0.10 user name : development@robertao.me worker : 1 duration : 69 auth_type : IP auth_method : SAML pol_id : 2 g_id : 2 user_based : 0 expire : no LAN: bytes_in=96093 bytes_out=2162905 WAN: bytes_in=2192752 bytes_out=99175 |
