|
Topology:
VPNSSL-Client ===== Internet ===> | FortiGate-VPNSSL
- Configure the 'saml' profile:
config user saml
edit "ONELOGINSSLVPN"
set cert "<SSL-VPN settings assigned Server Certificate>"
set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata/"
set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
set idp-entity-id "https://app.onelogin.com/saml/metadata/f498e216-b182-488e-9cd0-77bc35fb9225"
set idp-single-sign-on-url "https://digicel.onelogin.com/trust/saml2/http-post/sso/f498e216-b182-488e-9cd0-77bc35fb9225"
set idp-single-logout-url "https://digicel.onelogin.com/trust/saml2/http-redirect/slo/2187538"
set idp-cert "REMOTE_Cert_1" <- Download the Cert from IdP platform and import it on FortiGate.
set user-name "username"
set group-name "groupname"
set digest-method sha1
set limit-relaystate disable
set clock-tolerance 15
set adfs-claim disable
next
end
Previous settings can be reviewed from the OneLogin platform.
- Configure the user on FortiGate.
Example:
config user group
edit "ONELOGINGROUP"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member “ONELOGINGSSLVPN”
next
end
- Set the authentication-rule in VPNSSL settings, with the group previously configured.
config vpn ssl setting
config authentication-rule
edit 1
set groups "ONELOGINGROUP"
set portal “web-access”
next
end
end
- Finally, test the VPNSSL connection. This example used WebMode, but the same solution applies with TunnelMode.
Additional suggestion:
If the redirection to SAML-Authentication portal fails, use the debugging steps shown below.
In cases where SAML-Authentication portal redirection succeeds but the authentication fails at the end, check the logging report as per the images below. The logging report can be aid in discerning the root cause of an authentication failure.
|
