Configure Fortigate SSL VPN to use Azure AD as SAML IDP (MFA / Conditional Access)
Рет қаралды 104,038
Күн бұрынWelcome to this tutorial video on Using Azure AD and SAML to authenticate Foritgate SSL VPN Users.
Traditionally to authenticate VPN users you would use LDAP or Radius. Radius was required if you needed to provided different levels of access to different groups of users. And would be handled by having the Radius server return a Vendor-specific attribute that matched the name of a group defined on the Fortigate.
But what if you want to authenticate agains Azure AD, and make use of Multi-factor Authentication. This video will allow you to provide Role based access to users with full access to Azure AD MFA as well as Conditional Access policies.
There are other solutions that make use of radius, and an add-on for Network Policy Server, but these solutions have limitation regarding authentication methods and returning vendor specific attributes for role based access.
I am using FortiOS 7.0 on my lab appliance and a newly created trial Microsoft 365 tennant. However documentation states that this should work with all versions of FortiOS 6.2 and Higher.
Fortinet Docs:
docs.fortinet....
**Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140):
fortinetweb.s3...
Microsoft Docs:
docs.microsoft...
No group info in SAML response:
Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.so, you need to use the option "groups assigned to the application" under User attributes and claims | add a group claim
@ludapebe 5 ай бұрын
Hi. I have a problem with the client . Log show a problem with connect to server error 6500
@JamesNationMusic 3 ай бұрын
Dude thank you! One thing to note, is that you dont need the quotes anymore on 7.2.8 firmware.
@joshpark1 2 жыл бұрын
I've been pouring over the config documents from both Azure and Fortigate side for about a week preparing to get it done this week. Always helpful to see someone actually do it though and I'm really happy you left the troubleshooting in there. Invaluable! Liked and subscribed sir, thank you!
@wanikatoon9614 2 жыл бұрын
Once we've integrated with Azure AD, I always need to enter a username and password? Can you make me remember the username after choose SAML login?
@kento6909 Жыл бұрын
At about kzbin.info/www/bejne/pHWrY6qsq8p_qKs, you copied the FQDN but where should I get the FQDN in Fortigate from? Ive been trying to set up this configuration form yesterday but still stutcked on the way. Please help!! Kento from Japan.
@denmanfite3156 Жыл бұрын
Great video. Really enjoyed how you showed the whole process including the small issues you ran into.
@kwm1985 Ай бұрын
Thank you very much for this video. I had an issue with the step where I had to setup the custom "username" claim attribute on the Azure side and the documentation and other tutorials don't clearly state what to do there.
@gdhomy2009 3 ай бұрын
Where did you get gateway address to put in browser and Forticlient
@la08 Жыл бұрын
Fantastic! one question: There seems to be a limitation on 7.0.9 to add multiple saml server to a group. Is there a way around this without recreating the same firewall policies for different saml servers
@GraniteDan Жыл бұрын
Add multiple groups to the firewall policy.
@la08 Жыл бұрын
@@GraniteDan Tried this, the issue is the same. Not able to add 2 different user groups(referencing two different saml server) to a firewall policy
@michaelramirez9378 Жыл бұрын
Thank you for creating this content Dan. Great video and instructions. It was incredibly helpful.
@philipdefeo9586 2 жыл бұрын
This is great, thank you! Can you share the process for creating the SSL cert via Let's Encrypt?
@abdallahezat8604 Жыл бұрын
great sharing.
@CrvTEC916 3 жыл бұрын
Great, Thank you! This works out perfectly!! Multiple groups with different access and I was also able to configure access to go over a S2S VPN as well.
@GraniteDan 3 жыл бұрын
Glad it helped!
@wascarreyes01 2 жыл бұрын
hey David how did you configure S2S vpn with SAML?
@tommaor2094 10 ай бұрын
can i use self signed certificate for azure saml ?
@stevencamacho4280 2 жыл бұрын
Top notch demonstration. I'll be implementing this soon and this video is a great resource to have.
@sacoderch30 2 жыл бұрын
Great Video! I am using in version 6.2.9 too
@PapaEnColere 3 жыл бұрын
Thanks, I've been working on this since yesterday, and alway stuck in the same problem. When I do a "diagnose debug application sslvpn -1" on my Fortigate, I think the problem is right there: "[349:root:8f4]fsv_saml_login_response:477 No group info in SAML response.". I've recreate my claim, double (if not tripple) check my group IDs... but problem seems to be that no group information are sent from AzureAD.
@GraniteDan 3 жыл бұрын
It certainly sounds that way. Have you assigned groups to the application? If you would like we may be able to communicate directly over email to discuss your claim configuration etc. My email is dparr@granite-it.net.
@GraniteDan 3 жыл бұрын
As Per our email conversation I am pasting here to benefit the community. I have also added to the video description. No group info in SAML response: Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.so, you need to use the option "groups assigned to the application" under User attributes and claims | add a group claim
@_retrogamer999 3 жыл бұрын
absolute genius. straight forward and easy to follow
@garnetprince6199 3 жыл бұрын
Awesome video, 100% :)
@d4nielcui 11 ай бұрын
It's great tutorial. by the way, I found an error "Invalid HTTP request" when I tested. Could you advise, Dan? Thank you!
@AmitKhandelwal23 2 жыл бұрын
Thanks a ton for the great Video. Each and every step in detail.
@GraniteDan 2 жыл бұрын
Very glad you found this helpful..
@williamschubach5324 3 жыл бұрын
On a FGT 40F I dont get a user found in the Azure Ad Group, how does one troubleshoot group translation? [215:root:2b]sslvpn_validate_user_group_list:1786 validating with SSL VPN authentication rules (1), realm ((null)). [215:root:2b]sslvpn_validate_user_group_list:1801 checking rule 1 cipher. [215:root:2b]sslvpn_validate_user_group_list:1809 checking rule 1 realm. [215:root:2b]sslvpn_validate_user_group_list:1820 checking rule 1 source intf. [215:root:2b]sslvpn_validate_user_group_list:1859 checking rule 1 vd source intf. [215:root:2b]sslvpn_validate_user_group_list:2178 rule 1 done, got user (0:0) group (1:0) peer group (0). [215:root:2b]sslvpn_validate_user_group_list:2506 got user (0:0), group (2:0) peer group (0). [215:root:2b]sslvpn_update_user_group_list:1734 got user (0:0), group (2:0), peer group (0) after update. [215:root:2b][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [ssl-azure-saml] in group [AAD-VPN_users] __samld_sp_create_auth_req [387]:
@sokoculz 2 ай бұрын
thanks bro
@elcioluizjunior 2 жыл бұрын
not working here, my vpn portal do not redirect do microsoft, if a access the saml address I have remote/saml/login invalid http request
@em7yn 2 жыл бұрын
Can this be done without running a domain for our SSL Cert? I.e, running a cert to our public IP? We have no internal DNS so setting this up would be difficult for FQDN.
@thom12345100 10 ай бұрын
Thank you Dan! I was able to setup the same within 1.5 hours thanks to your vid. If anyone cares: If using FIDO2 key (passwordless), you have to select the option in the Forticlient VPN profile to authenticate using the browser.
@TheSuperscalar 2 жыл бұрын
SSLVPN Azure SAML support on Smart Device such as Mobile and Tablet?
@WReaume Жыл бұрын
Great vid. My free Azure account would not allow me to add groups to the FortigateSSL enterprise app thingy in Azure, only users. But, you could kick it a bit on the login and could evenutally get to the SSL portal. Thanks for the useful video and info. Make more vids!
@nimesis124 2 жыл бұрын
Hi Dan, My forinet is running in AWS and I want to connect with Azure same like this video, Do I need to allow any ports in Azure and AWS vice versa?
@rajsyed729 2 жыл бұрын
Great work Dan, Is it possible to allow guest access to VPN? I am try to use Azure B2B cross tenant collaboration. Wants to allow guest accounts to authenticate using their own email addresses.
@cloudmasterlive 2 жыл бұрын
Thank You for this video. It was a pleasure to watch. Just one question here. There was no prompt for MFA. How does that work? How can I set that up if I want my users to receive OTP/Notification to be able to connect to VPN? Please help.
@n2sport1 Жыл бұрын
Do you need separate fortigate ssl vpn enterprise apps for separate fortigate firewalls?
@franckymetal Жыл бұрын
Good morning Dan, really nice video and well explained. I was just wondering, in the ssl settings in the Authentication/ Portal Mapping if i create a mapping to a new portal for azure and I also have a mapping for a group of local user of fw to connect to the portal full-access for example. When my users with local account will connect to the fw via forticlient, will they get the azure windows also ? I would like to keep these users connecting without the azure portal but also that some groups gets azure windows.
@peterliu5296 2 жыл бұрын
great video. really informative .well organized and detailed. thanks for sharing. would like to see more upload from you.
@Wickerdrummer 2 жыл бұрын
Hello, thank you for this video. I have a question: is the 7.0 required to use this feature or it works on 6.0? Can i use this type of authentication to grant internet access based on web filtering profile?
@عصامالعتيبي-ض9ك 2 жыл бұрын
Do u have a video explaining integrating FG with adfs using SAML
@asherxtn 2 жыл бұрын
Thanks, great video. I was stuck when I forgot to add the new group to my existing policy, then I found your video at 29:06 strange that it wouldn't even let you sign in without a policy.
@KhanhNguyen-fp8xs 3 жыл бұрын
Well done Dan :D
@benj6675 2 жыл бұрын
When trying to import the remote certificate to the fortigate i get error "Basic constraints is absent for cert". Anyone else ever had that issue?
@jaspreetmangat834 2 жыл бұрын
One of the best fortigate SSL VPN integration with azure AD using SAML tutorial
@attiland56 Жыл бұрын
Best content in the subject for months in the subject I have come across. Thank you
@KK-po5hm 2 жыл бұрын
Dan, Do you provide consulting services?
@ferasawwad71 2 жыл бұрын
Hello, do you have paid developer services? Are you a company
@raulkamal9178 2 жыл бұрын
Excellent video. Thanks for all your help!
@billbaltas4674 2 жыл бұрын
Thanks for posting this. This really helped me.
@eduarmoran 2 жыл бұрын
Excellent video Dan! thank you so much
@jafrujafru 2 жыл бұрын
Very informative. Thankyou
@francoiscoulon2879 3 жыл бұрын
Hello, several weeks I struggle to get it working... I have this famous "Invalid HTTP request" everytime I go the saml login URL. Tested almost everything, upgraded to 6.4.7.... any hint ?
@GraniteDan 3 жыл бұрын
Unfortunately I don't have much to go on there. What SAML Login URL do you mean, is it the Fortigate SSL VPN Web Portal or somewhere else?
@jorgegarcia-6981 2 жыл бұрын
excellent work, thank you very much!
@alfredosantos-es7002 2 жыл бұрын
Hello, Grate video and solution. I have 5 Windows domains and 5 Fortigates. All 5 AD's are synchronized with one MS365 Tenant. This solutions works in this architecture? Thanks in advanced. AS
@simabaptiste1133 2 жыл бұрын
It works, yes.
@nature0893 10 ай бұрын
Thank you for the video
@kichak99 2 жыл бұрын
Thanks great detailed video
@decosion5498 7 ай бұрын
Very nice explanation
@afdadfasfafdsa 3 жыл бұрын
About " **Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140): " please can you share the .pdf as the new link is not working ?
@GraniteDan 3 жыл бұрын
docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp
@robdax3122 2 жыл бұрын
Hi Dan, this video is very helpful, but I missed the MFA part. If I am not wrong, you didn't configure it. I can see that the systen asked username and password, but not a second factor (multi-factor or two-factor) authentication. No token or OTP of any sort.
@GraniteDan 2 жыл бұрын
Rob, thanks I didn’t get into MFA other than maybe mentioning it. Azure AD handles the MFA side of things if you have MFA enabled either per user for via conditional access you will get prompted for MFA just like you would when logging into M365 or any other app.
@thenetworkarchitectchannel 3 жыл бұрын
GraniteDan, professionally done. I enjoyed watching. Do you have any thoughts on timer adjustments. I had heard when you go SAML that it is recommended to also adjust timers.
@GraniteDan 3 жыл бұрын
I the remote auth timeout to 90 seconds some time ago. It may have been a recommendation by Duo when we used them. It has worked well for us. I have also setup other environments with 60 second timeouts for remote auth with no manjor issue. It is really just buying time for folks to dig their phone out, and respond to MFA challenge.
@frietjesate6288 3 жыл бұрын
My comprehension of client certificates is limited so bare with me. I have Azure SAML working thanks to your tutorial. Now I want to add client certificates to include company owned devices only. Is this possible? I've tried Azure Conditional Access with Hybrid Azure Joined devices restriction, but it does not seem supported in Forticlient (unsupported browser error). Is it just a matter of adding 'set ca' and 'set subject' to 'edit "ssl-azure-saml' ?
@GraniteDan 3 жыл бұрын
Sorry for the delay I am not sure if you have gotten to the bottom of this. The client certificates requirement is setup in the SSL VPN settings on the fortigate. I would check the documentation around using client certificates, but this article might also start you down the right road... packetplant.com/fortigate-ssl-vpn-and-2fa-using-certificate-and-username/
@yhonattans.youngd.8454 3 жыл бұрын
Thanks you
@GraniteDan 3 жыл бұрын
No Problem. I looked for this solution for a long time. Once I got it working I had to share the solution with others.
@pjassal79 3 жыл бұрын
does this also work with ipsec?
@dodonohoe30 2 жыл бұрын
Great content Dan. For my understanding, I wonder could someone give me the highlevel sequence of events here, in terms if the token / authentication flow mechanism?
@nimesis124 2 жыл бұрын
I am not able to import azure ad certificate in fortigate via remote certificate, I am using fortigate evaluation license
@GraniteDan 2 жыл бұрын
I do not know if this would be a limitation of the evaluation license or not. Validate you are downloading the correct version of the certificate. Do you get an error? Option not there?
@lalitjoshi8032 11 ай бұрын
Great Content...
@amiryousry 3 жыл бұрын
I would like to thank you for this amazing video. Really helpful
@GraniteDan 3 жыл бұрын
I am very glad that you enjoyed it
@grokit 3 жыл бұрын
Hello Dan, great tutorial. If I'd enabled 2FA in Office 365 for those users, would that also work with the FortiVPN Client? That is, would I be able to setup 2FA without the need of an own radius server? Dan
@GraniteDan 3 жыл бұрын
Hello Grokit, Yes this is the beauty of setting up the Fortigate ssl vpn to use Azure AD MFA. Users get a seamless single sign-on experience. And the MFA solution extends to both application, as well as any other registered enterprise applications you setup in Azure AD.
@uligeitz5283 2 жыл бұрын
Great Job!
@Spele10 3 жыл бұрын
Very good and useful video. Thank you very much
@GraniteDan 3 жыл бұрын
Glad it was helpful!
@JanisJaunosans Жыл бұрын
noice!
@markb81 3 жыл бұрын
Thanks for taking the time providing this great guide
@GraniteDan 3 жыл бұрын
My pleasure!
@Heineken1712 2 жыл бұрын
Hi, does anyone know if you can apply Azure 2FA like this to authenticate against FG SSL VPN?
@GraniteDan 2 жыл бұрын
That is exactly what the video shows you how to do.
@Heineken1712 2 жыл бұрын
@@GraniteDan I only see azure authentication with username/password. But I'm new to azure, I probably don't fully understand the 2FA process of azure. Afaik you need to accept the 2FA f.e. on your phone. The login procedure on SSL VPN doesn't show a page where it is waiting for acceptance of the 2FA.
@GraniteDan 2 жыл бұрын
@@Heineken1712 MFA is wholly managed by Azure AD. When it is enabled either per user or by conditional access and you are authenticating with Azure AD via SAML the user will receive the MFA prompts just as they do when logging into Any Office 365 cloud apps etc.
@a2045125 3 жыл бұрын
Hi, could you please tell me how to modify the count down time when the login page appear, my login page have only 10s time. (In your video it is 60s)
@GraniteDan 3 жыл бұрын
From the Cli issue the following command config system global set remoteauthtimeout end
@a2045125 3 жыл бұрын
@@GraniteDan Thanks a lot! It works!
@arunlals1781 3 жыл бұрын
By using Azure AD Free license we can configure SAML to authenticate Fortigate SSL VPN?
@GraniteDan 3 жыл бұрын
I am fairly certain that you are able to setup 10 enterprise apps for sso with the free licnese so your Fortigate SSL VPN could be one of these. But I would strongly recommend that you validate that info with Microsoft. Here is some additional MS documentation: docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
@KhanhNguyen-fp8xs 3 жыл бұрын
Yes, you can. And with some advanced config on Azure, we can force user using VPN with passwordless. FIDO2 or Microsoft Authenticator by your own
@jdmarchand 3 жыл бұрын
not with a conditional access rule, it requires a P1 licence. It will work without it, but you wouldnt compliant.
@mehdit3300 3 жыл бұрын
@@jdmarchand how we could Force MFA without using Conditional access rule that required a P1 License?
@thisismeisthatyou2319 3 жыл бұрын
Great tutorial :) Helped me understand a lot. 2 questions 1. In what case would you integrate this WITH Fortiauthenticator? 2. Can you use a private CA that all devices using the VPN have as a trusted CA, or must it be public?
@GraniteDan 3 жыл бұрын
Hey there, for the first question I am uncertain when you would integrate this with FortiAuthenticator. I don't use FortiAuthenticator, and wanted to set this up so that I could secure our remote access VPNs while maintaining a single MFA Provider and maximizing the benefits of our Azure AD subscription. As for your second question I expect that as long as your clients trust the certificate you are using on your Fortigate you should be able to use a private CA. I have not done this, but it would stand to reason that it should work.
@vinisantos. 2 жыл бұрын
One of the reasons you would integrate this with FortiAuthenticator is if you have multiple FortiGates in your environment for example. FortiAuthenticator can centralize all your users (And respective FortiTokens, if any) and provide the same kind of access to multiple devices in your network. Without a FAC in this scenario, you'd have to replicate the configuration to all FortiGates. And yes, you can use self-signed certificates just fine, they're just not as secure.
@nielstaildeman 2 жыл бұрын
@@GraniteDan Is it possible to use the Azure saml as identity agent to use in policies? (Like FSSO enables with on prem AD?)
@dondbg3751 3 жыл бұрын
thank you - is this supported only on ver 7.x ?
@GraniteDan 3 жыл бұрын
The Fortinet doc I used is from ver 6.2 I am not sure it it goes back any further than that. I only used 7.0 in my lab to be able to take advantage of the new features for Let's Encrypt certificates.
@dondbg3751 3 жыл бұрын
@@GraniteDan I had to use FAC to get this going - and MFA work as well...
@grokit 3 жыл бұрын
@@dondbg3751 Hello Don, I am interested in the way you implemented 2FA. What does "FAC" mean? And do you have any kind of pointer to some more documentation? That would be great. Regards, Dan
@wascarreyes01 2 жыл бұрын
How can I have redundancy with SAML?
@GraniteDan 2 жыл бұрын
What sort of redundancy are you looking for?
@wascarreyes01 2 жыл бұрын
@@GraniteDan we have multiple interfaces configured on SSL VPN, the question really is, should I create two multiple instances in Azure AD as well?
@GraniteDan 2 жыл бұрын
@@wascarreyes01 I don't believe this would be required. If all of the users exist in the same Azure AD. Should be able to setup a Single server and then allow specific groups.
@wascarreyes01 2 жыл бұрын
@@GraniteDan What if my firewall’s public IP goes down?
@GraniteDan 2 жыл бұрын
@@wascarreyes01 If your public IP goes down then your users probably won’t be able to connect to the SSL VPN. For that level of redundancy you could look at multiple connections, SDWAN, and some load balancing for the FQDN that users are connecting to.
@buttsaabgreat 2 жыл бұрын
How did you created "VPNCert" certificate on fortinet local certificates?
@OmayioMicahKing 3 жыл бұрын
@GraniteDan, what if iam using a different port other than 443 and also have some realms on my Fortigate i.e. my current remote gateway URL is: ...how do i configure SAML Basic Configuration URLS?
@GraniteDan 3 жыл бұрын
I don't have experience with realms etc with ssl VPN. I would recommend reviewing documentation and possible engaging support or your SE. If you get to the bottom of this please let the rest of us know.
@GraniteDan 2 жыл бұрын
Michah Today i was reviewing the release notes of Forticlient 7.0.1 and it seems to indicate that realms are not supported when using SAML authentication. Maybe next version...
PuffPaw
Рет қаралды 17 МЛН
SQUAD NYEMIL
Рет қаралды 14 МЛН
Wood Mood Arts
Рет қаралды 10 МЛН
Milan Jovanović
Рет қаралды 28 М.
Switchshop - Network Specialists
Рет қаралды 18 М.
Hugh Jeffreys
Рет қаралды 143 М.