Fortigate with inWebo SAML
InWebo provides innovative, no-hardware, 100% SaaS, strong authentication solutions for employee and consumer secure transactions.
The purpose of this documentation is to explain how to use InWebo products to protect access to Fortigate VPN through a SAML implementation.
This documentation refers to a SAML implementation with a basic configuration of the Fortigate in term of VPN access, you may have to adjust the configuration depending of your Fortigate configuration.
Before you start, please ensure that the following requirements are fulfilled.
You will need at least to use a Fortigate version 6.2.0 or superior to be able to deploy a SAML implementation. Before this version you can configure inWebo through a Radius or LDAP Proxy implementation.
An inWebo service with administrator rights (if you don't have any inWebo service yet, you can register for a trial account here).
An administrator access to your Fortigate environment for the implementation.
Step 1: Create a SAML connector on inWebo platform
Login to your inWebo administration console.
Go to the “Secure Sites” tab.
In the "connectors” section, click on “Add a connector of type” and select “SAML 2.0”.
Click on “Add”.
We will need to come back to this connector to insert the Fortigate metadata, but we will perform this action later.
The SAML connector on inWebo side has been created, you will need to use the “1- inWebo Identity Provider (IdP) Metadata” during the configuration of your Fortigate
You need to download the inWebo IdP certificate, you will need to import it into your Fortigate later.
Step 2: Create a secure site on inWebo platform
Login to your inWebo administration console.
Go to the “Secure Sites” tab.
Click on “Add a Secure Site of type” and select the SAML connector name you configured related to your SAML connector for Fortigate.
In the opening window, you set Secure Site name of your choice and the Called URL to point to your Fortigate internet address.
The Called URL setting is only used to set a bookmark for the user on his myinwebo.com portal, it has no impact on the security.
Click on “Add” to save the configuration.
The inWebo secure site, related to your SAML connector for Fortigate, has been successfully created.
We still need to finalize its configuration with the SP metadata of Fortigate.
Step 3: Fortigate (version 7.0.3) Certificate configuration
You will need to import the inWebo Certificate in order to be able to configure it into you Fortigate Single Sign-on Configuration.
Go to System → “Certificates”
Then click on “Create / Import” and select “Remote Certificate”
Select the inWebo certificate that you have downloaded from the inWebo administration console previously and click on “OK”
the inWebo certificate has been imported:
You may face some issues to import the certificate through the GUI of Fortigate, it’s more reliable to use the following CLI commands to import it.
you will need to edit the inWebo certificate file (.crt) and copy/past the content between the “ “ of the “set remote” CLI command
#config vpn certificate remote
#set remote "-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----“
Step 4: Fortigate (version 7.0.3) Single Sign-on configuration
Go to “User & Authentication”
Select “Single Sign-on”
Create a new Single Sign-On configuration
Give it a name
Add the IP of the FQDN of your Fortigate server (and the FQDN:PORT, if you are using a specific port)
Then click on Next
In the IdP configuration page, select “Custom” as a IdP type
Then you will need to copy/past the information from your SAML connector into the inWebo administration console to this Fortigate page.
Go Retrieve your IdP metadata into your Fortigate SAML connector into the inWebo administration console to find these url:
in “IdP entity ID”, copy the Issuer URL
in “IdP single sign-on URL”, copy the Single Sign On URL
in “IdP single logout service URL”, copy the Single Logout Service URL
in “IdP certificate”, select the inWebo certificate you have imported previously
Then in the next section you can decide the attribute you want to use
Depending of your configuration you will need to change attributes into your inWebo SAML connector. We will configure that into the next step.
You can also define a attribute to identify groups, but you will need to configure it as well on your inWebo SAML connector. Fortigate will wait for this information to be provided by the IdP response.
Then you can click on “Submit” to validate.
Step 5: Fortigate metadata & attributes
We need to finalize the SAML connector into the inWebo administration console.
You should complete the following metadata with your Fortigate URL:
URL generated by Fortigate may contain errors. Please, correct them before proceeding to the next step:
The Assertion consumer service URL should end by /remote/saml/login
The Single logout service URL should end by /remote/saml/logout
Copy inside this metadata your URL
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="FORTIGATE SP Entity ID URL"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="FORTIGATE SP single logout URL"></md:SingleLogoutService> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="FORTIGATE SP single sign-on URL" index="0" isDefault="true"></md:AssertionConsumerService> </md:SPSSODescriptor> </md:EntityDescriptor>CODE
In the “1- Service provider (SP) Metadata” section, you need to past the Fortigate Service Provider (SP) metadata.
In the “3- SAML Attributes section, you need to configure the relevant attribute compare to your configuration into the Fortigate. For example if you are using a specific attribute as uid, or a group, you will need to configure it.
Here is an example:
To offer a better user experience to your users, set the “Push Authentication” setting to Yes. This option enables your user to receive notifications on their mobile or desktop token to automatically generate an OTP.
Step 6: Fortigate apply this new policy
Depending of your configuration and its complexity this procedure may be different but the idea is the same : you need to apply to your VPN this new Single Sign On authentication mechanism.
Create a group for SAML authentication
Go to ”User Groups”
Create a new Group by selecting the “Remote Server” with the “Single Sign On authentication” you have created and add your “Members” within this group
Update your VPN Settings
Then go to VPN → SSL-VPN Settings
add your SAML group into the “Authentication/Portal Mapping” to the relevant “Portal” depending of your configuration
Update your firewall policy
You will need to go to “Policy & Objects” → “Firewall Policy” to add the group into the relevant policy depending of your configuration
You will need to add the SAML group into the Source authorized of your Policy
Authenticating in Fortigate through a browser
You can now go into your Fortigate portal url to see the result:
The Single Sign-On link is available
When you click on it, you will have a SAML redirection to inWebo that will perform the strong authentication
if the browser is not an enrolled token, you will be able to perform a push on a mobile or desktop token.
if the browser is an enrolled token, you will be able to authenticate directly.
Then after the strong authentication, you are connected.
Authenticating in Fortigate through a FortiClient
By default the FortiClient is not taking into account the Single Sign On authentication.
You will need to activate the Single Sign on into your forticlient.
Edit or add a new connection
Select “Enable Single Sign On (SSO) for VPN Tunnel”
you can also “use external browser as user-agent for SAML user authentication” if you want to use the default browser of you PC and not an internal browser managed by the FortiClient
After the activation you can use the Single Sign On feature to authenticate with inWebo
by using a mobile or desktop token through a notification
by activating the browser within the FortiClient and then you can use directly the FortiClient as a token to authenticate