I recently had the requirement to allow a few accounts remote access to a server via RDP for support purposes. I elected to use a Fortinet FortiGate firewall with an SSL VPN Portal linked via SAML to Azure AD.
This gives the benefit of the users being able to logon using their Azure AD account and you can enforce the use of MFA and other conditions via Condition Access
This guide will cover the steps followed. The screenshots are taken from a FortiGate firewall running v7.0.1. But I have tested and it is pretty much the same for v6.4.6 and works fine on that release for both physical and virtual models. Possibly earlier versions will work too but I personally have not tested.
Azure AD User(s) and Group
- If your user(s) who will be using the SSL VPN portal don’t already exist create them.
- You will also need to create a group and add the user(s) who will be using the SSL VPN portal as members.
- After your group is created take a note of the “Object id” as you will need it later.
Creating an Azure AD application
The first thing we will need to do is create an Enterprise Application within the Azure AD subscription, as this is what the SMAL requests will authenticate against.
- Logon to you Azure portal and open the Azure Active Directory blade
- Click “Enterprise Applications” on the left
- Click “New application”
- Search for “Fortigate” and select the “FortiGate SSL VPN” template.
- Give your application a name and press “Create”
Getting your FortiGate SSL VPN URL
- On your FortiGate firewall VPN => SSL-VPN Settings
- Make sure “Enable SSL-VPN” is on.
- Make sure you “Listening on (interfaces)” is set as required. Port 1 generally being the outside internet facing interface.
- Take a note of the “Web mode access will be listening at” URL as we will need this in the next section.
- If you have a DNS name pointing to the public IP address of the SSL Portal you can use that instead, but you will still need the port (if it is not 443)
- i.e https://188.8.131.52:10443 can become https://aRecord.mydomain.com:10443 if you have the DNS records setup.
Configuring the Azure AD application
After your new application is created (can take a few seconds) you will be redirected to you applications settings page. If not you can search for you applications name in the Enterprise Application blade.
- Click “Setup single sign on”
- Click the “SAML” option
- Click the edit item for Section 1 “Basic SAML Configuration” and set these values
- Replacing <myforti.com> with external the public facing IP Address or DNS name for you firewall.
- Replacing <port> with the port number set in the “SSL-VPN Setting” section of your FortiGate
- For “Identifier (Entity ID)” and “Reply URL (Assertion Consumer Service URL)” tick the Default check box on the right. Click Save
(Assertion Consumer Service URL)
|Sign on URL||https://<myforti.com>:<port>/remote/login|
|Relay State||Leave Blank|
Section 1 should not look like this.
- Click the edit button for Section 2 “User Attributes & Claims”
- Click “Add new claim”
- Name: username
- Source: Attribute
- Source attribute: user.userprincipalname
- Click Save
- Click “Add new group claim”
- Select “All groups”
- Select the “Customize the name of the group claim” check box.
- Name: group
- Click Save
The “Single sign on” section 2 for your application should now look like this.
Giving permissions to your application
In the “Users and groups” section for you Enterprise Application add the group you previously created at the start of this guide.
Collecting the details needed for the FortiGate setup
As mentioned in the “User and Groups” section above you will need your groups “Object id”
In the “Sigle sign-on” section for you Azure AD application you will need to download the “Certificate (Base64)” from section 3
In the “Sigle sign-on” section for you Azure AD application you will need to copy the “Login URL”, “Azure AD Identifier” and “Logout URL” from section 4
FortiGate Config – Uploading your application certificate
- Logon to your FortiGate firewall and head to System => Feature Visibility
- Make sure “Certificates” is set to On
- Head to System => Certificates
- Select Import => Remote Certificate
- Upload the certificate for you Azure AD application you previous downloaded.
- The certificate will be imported at the very bottom in the “Remote Certificates” section. Unless you already have any others it will get the name “REMOTE_Cert_1”. Make a note of the name as we will need it later
FortiGate Config – SAML Setup
I don’t believe we can currently use the GUI for this part so either SSH into your firewall or use the “CLI Console” icon in the top right.
Run these commands subtitling the values for your own;
config user saml edit "AZURE-SAML" set cert "ServerCertificateName" set entity-id "https://<myforti.com>:<port>/remote/saml/metadata/" set single-sign-on-url "https://<myforti.com>:<port>/remote/saml/login/" set single-logout-url "https://<myforti.com>:<port>/remote/saml/logout/" set idp-entity-id "https://sts.windows.net/aaa-bbb-cccc-dddd-eeee/" set idp-single-sign-on-url "https://login.microsoftonline.com/aaa--bbbb-cccc-dddd/saml2" set idp-single-logout-url "https://login.microsoftonline.com/aaaa-bbbb-cccc-dddd/saml2" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" next end
Is a display name. If you intend to have more than one SSL Portal linked to SAML maybe add in the application name.
Is the name of the “Server Certificate” on your FortiGate under VPN => SSL-VPN Settings
If the URL you entered as the “Identifier (Entity ID)” when setting up the “Basic SAML Configuration” of the application
Is the URL you entered as the “Reply URL” when setting up the “Basic SAML Configuration” of the application
Is the URL you entered as the “Logout URL” when setting up the “Basic SAML Configuration” of the application
Is the “Azure AD Identifier” you copied from section 4 when setting up single sigin-on for your application
Is the “Login URL” you copied from section 4 when setting up single sigin-on for your application
Is the “Logout URL” you copied from section 4 when setting up single sigin-on for your application
Is the name that was assigned when you imported your applications certificate into your FortiGate
FortiGate Config – Mapping local group to the Azure AD group
- Select Users & Authentication => User Groups
- Create “Create New”
- Name: Set as the same as the group name created in Azure AD
- In the “Remote groups” section click “Add”
- Remote Server: Select the connection name you used
- Groups: Specific
- Group Name: paste in the groups “Object id” copied at the start on this guide.
FortiGate Config – Firewall Policy
Note: You you have more that one SSL Portal the the firewall rules order becomes import as users will be mapped to the first portal where the conditions are met.
- Navigate to Policies & Objects => Firewall Policy
- Create new
- Name: Something descriptive
- Incoming Interface: Your SSL-VPN tunnel interface
- Outgoing Interface: Your inside interface if you are wishing to access service(s) on the inside
- Source: Your SAML group and either all or specific IP source(s)
- Destination: The service(s) you want to access
- Services: Services to allow. I only need RDP
FortiGate Config – Timeouts
You may not need this, but just to be sure I increased the timeouts with the below commands
config system global set remoteauthtimeout 180 end config vpn ssl settings set login-timeout 180 end
FortiGate Config – Creating an SSL Portal
- Navigate to VPN => SSL-VPN Portals
- Click “Create New”
- Give it a name
- Turn off tunnel mode (unless you need it)
- Set the required options and bookmarks
FortiGate Config – User to SSL Portal Mapping
- Navigate to VPN => SSL-VPN Settings
- At the very bottom click “Create new” in the “Authentication/Portal Mapping” section
- Add a rule to map your group to your portal
Visit you SSL VPN URL and you should have a “Single Sign-On” button. Press it and you should wither we auto signed in or be prompted for your Azure AD credentials.
You should then be directed to the correct SSL Portal.
Useful debug commans
diag debug reset diag debug console timestamp enable diag debug app sslvpn -1 diag debug app samld -1 diag debug enable