Ci-dessous la procédure pour mettre en place l'authentification sur le client FortiVPN via Azure AD.
Procédure réalisée sur un FortiGate 301E en 6.4.3.
Configuration SAML CLI :
Config user saml
edit "@NOM_USER_SAML"
set cert "@CERT_LOCAL"
set entity-id "https://XXXXXXXX.fr/remote/saml/metadata"
set single-sign-on-url "https://XXXXXXXX.fr/remote/saml/login"
set single-logout-url "https://XXXXXXXX.fr/remote/saml/logout"
set idp-entity-id "@URL_AZUE_AD_IDENTIFIER"
set idp-single-sign-on-url "@URL_LOGIN"
set idp-single-logout-url "@URL_LOGIN"
set idp-cert "@CERT_REMOTE"
set user-name "username"
set group-name "usergroup"
next
end
Exemple :
Config user saml
edit "saml_azuread"
set cert "vpn.frenchnetworkengineer.fr"
set entity-id "https://vpn.frenchnetworkengineer.fr/remote/saml/metadata"
set single-sign-on-url "https://vpn.frenchnetworkengineer.fr/remote/saml/login"
set single-logout-url "https://vpn.frenchnetworkengineer.fr/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/"
set idp-single-sign-on-url "https://login.microsoftonline.com/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/saml2"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "usergroup"
next
end
Configuration groupes CLI :
Config user group
edit "@NOM_GROUP"
set member "@NOM_USER_SAML"
config match
edit 1
set server-name "@NOM_USER_SAML"
set group-name "@ID_GROUP_AZURE_AD"
next
end
end
Exemple :
Config user group
edit "GRP-VPNSSL-TECH"
set member "saml_azuread"
config match
edit 1
set server-name "saml_azuread"
set group-name "5b245ba0-4bce-4e67-9974-367ab127cb37"
next
end
end
Configuration VPNSSL :
Suivre le poste FortiGate - SSL VPN
Configuration FortiClient VPN
Attention : Cette solution n'est valable qu'avec la version 6.4.1.9249 ou supérieur du client FortiVPN.
Lien pour le client lourd "FortiClient VPN" : https://www.forticlient.com/downloads
Il faut cocher la case "Enable Sinfle Sign On (SSO)...." pour activer l'authentification SAML à travers le client FortiVPN.
Pour plus d'information :