Fortinet

Public·1 membre

Retour

frenchnetworkengineer

11 janvier 2021

FortiGate - SAML SSO login with Azure AD

Ci-dessous la procédure pour mettre en place l'authentification sur le client FortiVPN via Azure AD.

Procédure réalisée sur un FortiGate 301E en 6.4.3.

Configuration SAML CLI :

Config user saml

edit "@NOM_USER_SAML"
set cert "@CERT_LOCAL"
set entity-id "https://XXXXXXXX.fr/remote/saml/metadata"
set single-sign-on-url "https://XXXXXXXX.fr/remote/saml/login"
set single-logout-url "https://XXXXXXXX.fr/remote/saml/logout"
set idp-entity-id "@URL_AZUE_AD_IDENTIFIER"
set idp-single-sign-on-url "@URL_LOGIN"
set idp-single-logout-url "@URL_LOGIN"
set idp-cert "@CERT_REMOTE"
set user-name "username"
set group-name "usergroup"
next
end

Exemple :

Config user saml

edit "saml_azuread"
set cert "vpn.frenchnetworkengineer.fr"
set entity-id "https://vpn.frenchnetworkengineer.fr/remote/saml/metadata"
set single-sign-on-url "https://vpn.frenchnetworkengineer.fr/remote/saml/login"
set single-logout-url "https://vpn.frenchnetworkengineer.fr/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/"
set idp-single-sign-on-url "https://login.microsoftonline.com/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/9c176a6f-cd8c-8ef2-9967-CD37e7999b2f/saml2"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "usergroup"
next
end

Configuration groupes CLI :

Config user group
edit "@NOM_GROUP"
set member "@NOM_USER_SAML"
config match
edit 1
set server-name "@NOM_USER_SAML"
set group-name "@ID_GROUP_AZURE_AD"
next
end
end

Exemple :

Config user group
edit "GRP-VPNSSL-TECH"
set member "saml_azuread"
config match
edit 1
set server-name "saml_azuread"
set group-name "5b245ba0-4bce-4e67-9974-367ab127cb37"
next
end
end