Firewall outbound authentication with Azure AD as SAML IdP | Management instructions (2023)

In this example, users are managed through Microsoft Azure Active Directory (AD). FortiGate is configured for firewall SSO authentication for outbound traffic, with authentication performed by Azure AD as the SAML identity provider (IdP).

A SAML interaction looks like this:

1. The user initiates web traffic on the Internet.

2. FortiGate redirects to the local dedicated access port (default is 1003) and then redirects the user to SAMLidP.

3. The user is logged in to Microsoft's login page for a SAML authentication request.

4. SAMLidP sends a SAML assertion containing the user and group.

5. The browser passes the SAML assertion to the SAMLSP.

6. If the user and group are allowed by FortiGate, the user is allowed to access the Internet.

In this example environment, a user is added to Azure AD who belongs to a security group called Firewall.

• Username: John Locus

• User login: jlocus@azure.kldocs.com

• Group: Vatrozid (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)

The goal is to enable users in the Firewall group to access the Internet after passing firewall authentication.

Configure Azure AD

The following Azure AD configuration shows how to add FortiGate as a non-gallery enterprise application. This application provides SAML SSO connectivity to Azure AD IdP. Some steps are performed simultaneously on the FortiGate.

This example is configured with an Azure AD free tier directory. There may be restrictions on managing users in Azure at this level that are not limited to other levels. Consult himMicrosoft Azure ADdocumentation for more information.

There are three steps to configuring Azure AD:

1. Create a new business application.

2. Configure SAML SSO settings in the application and on the FortiGate.

3. Assign Azure AD users and groups to the application.

To create a new business application:

1. Sign in to the Azure portal.

2. In the Azure portal menu, clickAzure Active Directory.

3. Go to the left menuAdministration > Enterprise applications.

4. clickNew application.

   See Also

   What is the SCP Foundation? Top 15 Songs Every New Fan Should Read

   

5. clickCreate your own app.

   

6. Enter a name for the application (SAML-FW-Auth) and selectIntegrate any other non-gallery app (non-gallery).

   

7. clickcabinet.

To configure SAML SSO settings in the application and on the FortiGate:

This process requires you to go back and forth between Azure and the FortiGate GUI. Leave the FortiGate GUI open during the entire process.

1. yes that oneOverview of business applicationspage, go toAdministrator > Single sign-onand chooseSAMLas one way of connecting.

   

2. TheBasic SAML configurationThe Azure section describes the SAML SP entity and connectors that Azure refers to. Configure these settings on the FortiGate by creating a new SAML server object and setting the SP address. The SP address (IP or FQDN) should be available to the user authenticating against the firewall. The port used must match the port used by the FortiGate firewall authentication gateway. By default, this port is 1003 for HTTPS. A dedicated gateway does not need to be configured separately.

   1. I'm going to youUser and Authentication > Single Sign-Onand clickIt's low.

   2. Enter oneTo dofor a SAML object,Azure-AD-SAML.

   3. Enter itSP address,10.1.0.1:1003. The three SPURLs are filled in automatically.

      

3. I Azure klConfigure single sign-on with SAMLpage, copy the following URLs from FortiGate toBasic SAML configurationUnit:

   From FortiGate	In the Azure field
   ID of the SP device(http://10.1.0.1:1003/remote/saml/metadata/)	ID (Device ID), set upPredefined
   SP unique login URL(https://10.1.0.1:1003/remote/saml/login/)	Response URLiLog in to the URL
   SP individual logout URL(https://10.1.0.1:1003/remote/saml/logout/)	Unsubscribe URL

4. clickSaving.

   

5. In accordance withSAML signing certificatedownload the Base64 certificate.

   

6. Import the certificate from Azure into FortiGate as an IdP certificate:

   1. I'm going to youSystem > Certificatesand clickCreate/Import > Remote certificate.

   2. Upload the certificate from Azure and clickAlright. A new confirmation appears belowRemote certificatesection namedREMOTE_Cert_(N).

   3. Optionally, rename the certificate in the CLI to give it a more recognizable name:

      config vpn certificate remote rename REMOTE_Cert_3 to AZURE_AD_SAML_Fend

7. yes that oneSetting up of>, copy the URLs from Azure to FortiGate uIdP detailsUnit:

   

   1. Click on FortiGateFollowing.

   2. DoIdP type, SelectAdjustedand copy the following from Azure into the appropriate field:

      From Azure	In the FortiGate field
      Azure AD ID	IdP device ID
      Login URL	IdP URL for single sign-on
      Unsubscribe URL	IdP individual logout URL

   3. DoIdP certificate, select the previously imported remote certificate.

8. Edit it in AzureUser characteristics and requirementsUnit. The attributes are returned in a SAML assertion that FortiGate uses to authenticate users and groups. Group connection configuration is optional.

   1. clickAdd a new request, as you wishusernamei evo gaSource attributedokorisnik.prikazno ime. The source attribute can be any associated username field. The username value returned to the FortiGate will be used in logs and screenshots to identify the user.

   2. clickSaving.

   3. clickAdd a group requestand forClass requirementswindow, selectAll groups.

   4. andAdvanced items, SelectCustomize the group request name. Set a nameassociation.

      

   5. clickSaving. TheUser characteristics and requirementsshows update settings.

      

9. Update it on the FortiGateAdditional SAML featuressection with the username and group created in Azure:

   1. DoThe attribute is used to identify the user, a nurseusername.

   2. DoThe attribute is used to identify groups, a nurseassociation.

      

   3. clicksubmit.

To assign users and groups to an Azure AD application:

1. In Azure, go toAdministration > Users and Groupsand clickAdd user/group.

2. clickUsersto select users or groups (John Locusis selected in this example).

3. clickAssignto add a task.

   

Configuring FortiGate

User group, user authentication settings and firewall rules must be configured on the FortiGate.

User group configuration

Named user groupAzure-FW-Authis created with the memberAzure-AD-SAML.

Group mapping configuration is optional andID objectfrom Azure is required formatch settingssettings. In the default Azure directory, navigate toManage > Groupsand find himID objectdoVatrozidassociation.

To configure a user group:

config korisnička grupa uredi "Azure-FW-Auth" set član "Azure-AD-SAML" uredi config match 1 servername set "Azure-AD-SAML" groupname set "62b699ce-4f80-48c0-846e-c1dfde2dc667" next end next end

Configure the user authentication setting

When a user initiates traffic, FortiGate will redirect the user to the firewall authentication gateway before redirecting the user to the SAML IdP gateway. After the SAML IdP responds with a SAML assertion, the user is redirected back to the firewall authentication gateway. If the user does not trust the firewall gateway certificate, they will receive a certificate warning. Use a custom certificate that the user trusts to avoid the certificate warning.

To configure a custom certificate:

1. I'm going to youUser and Authentication > Authentication Settings.

2. DoConfirmation, select a custom certificate. The SAN field in the custom certificate must have the FQDN or IP from the SP URL.

Alternatively, assigning a CA certificate allows the FortiGate to automatically generate and sign a certificate for the access party. This will override any assigned server certificates. This example uses the built-in Fortinet_CA_SSL.

To issue a CA certificate:

1. Edit user setting:

   user config set auth-ca-cert "Fortinet_CA_SSL" end

2. I'm going to youSystem > Certificatesand download the certificate.

3. Install the certificate in the client certificate store.

Configuring firewall rules

Firewall rules must be configured to authenticate users and allow users behind the FortiGate to access the Microsoft login portal without authentication.

To configure firewall rules:

1. Configure a rule to allow traffic to the Microsoft Azure web service:

   1. I'm going to youRules and Objects > Firewall Rulesand clickIt's low.

   2. Enter the following:

      To do	LAN-to-AuthPortal
      Input interface	luka 3
      Output interface	The basis
      Source	already
      Destination	Microsoft-Azure(under, belowInternet service)
      Program	constantly
      Service	THAT
      Handling	accept
      NAT	Activate and selectNAT.
      Record traffic allowed	Activate and selectAll sessions.

   3. Configure the remaining settings as needed.

   4. clickAlright.

2. Configure a policy to implement user authentication:

   1. clickIt's lowand enter the following:

      To do	LAN authentication rules
      Input interface	luka 3
      Output interface	The basis
      Source	already,Azure-FW-Auth
      Destination	already
      Program	constantly
      Service	THAT
      Handling	accept
      NAT	Activate and selectNAT.
      Record traffic allowed	Activate and selectAll sessions.

   2. Configure the remaining settings as needed.

   3. clickAlright.

Link from client

When a user connects online from a browser, they will be redirected to Microsoft's login page to authenticate against Azure AD. A FortiGate authentication access certificate must be installed on the client.

How to log in from the client:

1. On the client computer, open a browser (such as Firefox) and go to the website. The user is redirected to Microsoft's login page.

2. Enter your user information.

   

3. If the connection attempt is successful, the user gets access to the Internet

View logs and diagnostics

Go to to confirm user loginControl Panel > Data and Identitiesand expand itFirewall userswidget or enter the following in the CLI:

# firewall checklist diagnosis 10.1.0.100,John Locussrc_mac: 02:09:0f:00:03:03 type: fw, id: 0, duration: 152, idle: 7 expires: 292, allow idle: 300 server:Azure-AD-SAMLpackets: i 2097 of 932, bytes: i 2208241 of 143741 group_id: 2 group_name:Azure-FW-Auth----- 1 listed, 0 filtered ------

Go to to check user logsLog and Report > System Eventsand select itUser eventsmap or enter the following in the CLI:

# run log filter category event# run log filter field user subtype# run show log 17 logs found. 10 records returned.7: date=2021-09-30 time=09:49:25 eventtime=1633020565577584390 tz="-07 logid="0102043039" type="event" subtype="user" level="notice" vd = "root" logdesc="login authentication"srcip=10.1.0.100 korisnik="John Locus" authserver="Azure-AD-SAML"action="auth-logon" status="logon" msg="Bruger John Locus tilføjet til auth logon"8: date=2021-09-30 time=09:49:25 eventtime=1633020565577075629 tz="-0700" logid = "0102043008" type="event" subtype="bruger" level="notice" vd="root"logdesc="Authentication success" srcip=10.1.0.100 dstip=10.1.0.1policyid=11 interface="port3"user="John Locus" group="Azure-FW-Auth"authproto="HTTPS(10.1.0.100)" action="authentication" status="success" reason="N/A" msg="User John Locus has authenticated"

If a user is authenticated to Azure AD, but their group does not match the one defined in the FortiGate user group, the user will receiveFirewall authentication failedmessage in the browser. A log file is also logged:

# run event log filter class# run log filter field user subtype# run log display 1: date=2021-09-30 time=10:39:35 event time=1633023575381139214 tz="-0700" logid="01020430" event " subtip = "user" level="notice" vd="root" logdesc="Authentication failed" srcip=10.1.0.100 dstip=10.1.0.1 policyid=11 interface="port3"user="Adam Thompson"group="I/A" authproto="HTTPS(10.1.0.100)" action="authentication" status="error"reason="No matching SAML username or group in aut. or."msg="User Adam Thompson could not be authenticated"

If the user receives the following error message, it means that the user is not assigned to the business applicationSAML-FW-Authi Azure.

To troubleshoot SAML:

# diagnose debug application samld -1# enable debug diagnostics