SAML-based SSL-VPN via Azure AD

This page documents the FortiGate specific side of the configuration requirements, supplementary to the Microsoft published guide for deploying the Enterprise Application within Azure.

Supplementary to the Microsoft published guide for deploying the Enterprise Application within Azure.

Creating the SAML User

config user saml
 edit "AzureAD-SAML"
  set cert "le-vpn.example.com"
  set entity-id "https://vpn.example.com/remote/saml/metadata"
  set single-sign-on-url "https://vpn.example.com/remote/saml/login"
  set single-logout-url "https://vpn.example.com/remote/saml/logout"
  set idp-entity-id "https://sts.windows.net/abcd1234/"
  set idp-single-sign-on-url "https://login.microsoftonline.com/abcd1234"
  set idp-single-logout-url "https://login.microsoftonline.com/abcd1234"
  set idp-cert "Azure-AD-SAML"
  set user-name "username"
  set group-name "group"
  set digest-method sha256
 next
end

Note: The Microsoft guide does not reference SHA256 as the digest-method. This is now a requirement and it will not function without this.

Creating the User Group

config user group
 edit "user-vpn"
  set member "AzureAD-SAML"
  config match
   edit 1
    set server-name "AzureAD-SAML"
    set group-name "1234abcd"
   next
   end
 next
end

Note: Find the "group ID" in Azure AD for the group referencing your VPN users, and use this in the configuration. You can create multiple groups on the firewall, matching multiple groups in Azure AD if you wish to use different policies for different groups.

Configure the SSL-VPN Portal

config vpn ssl web portal
 edit "no-access"
  set limit-user-logins enable
  set forticlient-download disable
 next
 edit "full-tunnel"
  set tunnel-mode enable
  set web-mode enable
  set limit-user-logins enable
  set forticlient-download disable
  set ip-pools "sslvpn-users-192.168.2.0/24"
  set split-tunneling-routing-address "my-lan-192.168.1.0/24"
 next
end

Note: Only a requirement for new configurations. If you're migrating to SAML via Azure AD you can edit your existing portals.

Note: Best practice suggests you configure a default portal that provides no access.

Note: This assumes you have already preconfigured your user IP pools and your routing addresses. It also assumes you're using full tunnelling. Split-tunnelling will require different configuration.

Configure the SSL-VPN Settings

config vpn ssl settings
 set banned-cipher RSA 3DES SHA1
 set servercert "le-vpn.example.com"
 set login-timeout 90
 set tunnel-ip-pools "sslvpn-users-192.168.2.0/24"
 set dns-suffix "example.com"
 set dns-server1 192.168.2.2
 set dns-server2 192.168.2.3
 set port 443
 set source-interface "ext-if"
 set source-address "Geo-US"
 set source-address6 "Geo-US-v6"
 set default-portal "no-access"
 config authentication-rule
  edit 1
   set groups "user-vpn"
   set portal "full-tunnel"
  next
 end
end

Note: Only a requirement for new configurations. If you're migrating to SAML via Azure AD you can edit your existing settings.

Note: This configuration also employs some best-practice configuration around disabling weak ciphers, setting Geo-IP ranges allowed to access the SSL-VPN interface, setting DNS servers for clients as well as the DNS-suffix.

Note: This assumes you have a valid SSL certificate present and configured prior. From FortiOS v7.0.0 onwards you can use LetsEncrypt via ACME if required.

Note: Altering the login-timeout provides users additional time during authentication to perform the required 2FA prompts via the Microsoft Authenticator app, or SMS/phone verification if required.

Troubleshooting

This usually occurs when the firewall policies have been created before the SAML configuration (e.g., you've added the SAML group to an existing policy). If this applies to you, it can be resolved by created a new firewall policy with the SAML group as a source.

Debugging the SSL VPN

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

diagnose debug application sslvpn -1
diagnose debug enable

The CLI displays debug output similar to the following:

[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug:

diagnose debug disable
diagnose debug reset

PreviousFan Replacement - FG-100F

Last updated 2 years ago

Was this helpful?

SAML-based SSL-VPN via Azure AD

This page documents the FortiGate specific side of the configuration requirements, supplementary to the Microsoft published guide for deploying the Enterprise Application within Azure.

Supplementary to the Microsoft published guide for deploying the Enterprise Application within Azure.

Creating the SAML User

config user saml
 edit "AzureAD-SAML"
  set cert "le-vpn.example.com"
  set entity-id "https://vpn.example.com/remote/saml/metadata"
  set single-sign-on-url "https://vpn.example.com/remote/saml/login"
  set single-logout-url "https://vpn.example.com/remote/saml/logout"
  set idp-entity-id "https://sts.windows.net/abcd1234/"
  set idp-single-sign-on-url "https://login.microsoftonline.com/abcd1234"
  set idp-single-logout-url "https://login.microsoftonline.com/abcd1234"
  set idp-cert "Azure-AD-SAML"
  set user-name "username"
  set group-name "group"
  set digest-method sha256
 next
end

Note: The Microsoft guide does not reference SHA256 as the digest-method. This is now a requirement and it will not function without this.

Creating the User Group

config user group
 edit "user-vpn"
  set member "AzureAD-SAML"
  config match
   edit 1
    set server-name "AzureAD-SAML"
    set group-name "1234abcd"
   next
   end
 next
end

Configure the SSL-VPN Portal

config vpn ssl web portal
 edit "no-access"
  set limit-user-logins enable
  set forticlient-download disable
 next
 edit "full-tunnel"
  set tunnel-mode enable
  set web-mode enable
  set limit-user-logins enable
  set forticlient-download disable
  set ip-pools "sslvpn-users-192.168.2.0/24"
  set split-tunneling-routing-address "my-lan-192.168.1.0/24"
 next
end

Note: Only a requirement for new configurations. If you're migrating to SAML via Azure AD you can edit your existing portals.

Note: Best practice suggests you configure a default portal that provides no access.

Note: This assumes you have already preconfigured your user IP pools and your routing addresses. It also assumes you're using full tunnelling. Split-tunnelling will require different configuration.

Configure the SSL-VPN Settings

config vpn ssl settings
 set banned-cipher RSA 3DES SHA1
 set servercert "le-vpn.example.com"
 set login-timeout 90
 set tunnel-ip-pools "sslvpn-users-192.168.2.0/24"
 set dns-suffix "example.com"
 set dns-server1 192.168.2.2
 set dns-server2 192.168.2.3
 set port 443
 set source-interface "ext-if"
 set source-address "Geo-US"
 set source-address6 "Geo-US-v6"
 set default-portal "no-access"
 config authentication-rule
  edit 1
   set groups "user-vpn"
   set portal "full-tunnel"
  next
 end
end

Note: Only a requirement for new configurations. If you're migrating to SAML via Azure AD you can edit your existing settings.

Note: This assumes you have a valid SSL certificate present and configured prior. From FortiOS v7.0.0 onwards you can use LetsEncrypt via ACME if required.

Note: Altering the login-timeout provides users additional time during authentication to perform the required 2FA prompts via the Microsoft Authenticator app, or SMS/phone verification if required.

Troubleshooting

Debugging the SSL VPN

Use the following diagnose commands to identify SSL VPN issues. These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

diagnose debug application sslvpn -1
diagnose debug enable

The CLI displays debug output similar to the following:

[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

To disable the debug:

diagnose debug disable
diagnose debug reset

PreviousFan Replacement - FG-100F

Last updated 2 years ago

Was this helpful?

Creating the SAML User

Creating the User Group

Configure the SSL-VPN Portal

Configure the SSL-VPN Settings

Troubleshooting

"Invalid HTTP Request" when attempting to login.

Debugging the SSL VPN

Creating the SAML User

Creating the User Group

Configure the SSL-VPN Portal

Configure the SSL-VPN Settings

Troubleshooting

"Invalid HTTP Request" when attempting to login.

Debugging the SSL VPN