FortiAuthenticator-6.4.0-SAML 2FA Interoperability Guide

SAML 2FA Interoperability Guide
FortiAuthenticator 6.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
January 10, 2022

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide
23-640-742675-20220110
TABLE OF CONTENTS
Change Log 4
About this Guide 5
FortiAuthenticator setup 6
Initial setup 6
System settings 7
DNS 7
Configure the FQDN 7
Configuring the remote LDAP authentication server 7
Importing a remote LDAP user and registering a token 8
Creating a realm for the remote LDAP server 9
Configuring SAML settings 10
Configuring FortiAuthenticator as an identity provider (IdP) 10
Configuring FortiAuthenticator SP settings 11
FortiGate 13
Creating a new SAML user and server 14
Applying the SAML server to proxy authentication 15
Configuring ZTNA access proxy to allow SAML authentication requests to SP 16
Configuring VIP and firewall policy to forward IdP authentication traffic to
FortiAuthenticator 18
Examples 20
Applying SAML and 2FA to ZTNA HTTPS access proxy example 21
Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP
connections example 23
Applying SAML and 2FA to a ZTNA SSH access proxy example 25
FortiManager 28
Create a FortiManager administrator account 28
Configure the FortiManager as an SP 28
Results 29
FortiAnalyzer 30
Create a FortiAnalyzer administrator account 30
Configure the FortiAnalyzer as a SAML SP 30
Results 31
Third-party Service Provider 32
FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 3

Fortinet Technologies Inc.
Change Log
Date Change Description
2022-01-10 Initial release.

About this Guide
About this Guide
The purpose of this guide is to aid in the configuration of Security Assertion Markup Language (SAML) authentication
using FortiAuthenticator for Fortinet solutions.
Testing was performed with the following product versions:
l FortiAuthenticator 6.4.0
l FortiGate 7.0.1
l FortiManager 7.0.1
l FortiAnalyzer 7.0.1

FortiAuthenticator setup
This section includes configuration information for the FortiAuthenticator. Any deviations from this configuration will be
detailed in the relevant section. For more information on the setup and configuration of the FortiAuthenticator, see the
FortiAuthenticator Administration Guide on the Fortinet Docs Library.
This section includes the following information:
l Initial setup on page 6
l System settings on page 7
l Configuring the remote LDAP authentication server on page 7
l Importing a remote LDAP user and registering a token on page 8
l Creating a realm for the remote LDAP server on page 9
l Configuring SAML settings on page 10
Initial setup
Upon initial deployment, the FortiAuthenticator is configured to the following default settings:
Port 1 IP: 192.168.1.99
Port 1 Netmask: 255.255.255.0
Default Gateway: 192.168.1.1
These settings can be modified by configuring a PC to an address on the same subnet and accessing the GUI via
https://192.168.1.99/. Alternatively, you can configure these settings using the CLI.
To configure basic settings using the CLI:
1. Connect the management computer to the FortiAuthenticator using the supplied console cable.
2. Log in to the FortiAuthenticator unit using the default credentials below:
Username: admin
Password: <blank>
You will be prompted to change and confirm your new password.
3. Configure the network settings as required, for example:
config system interface
edit port1
set ip <ip-address>/<netmask>
set allowaccess https-gui https-api ssh
next
end
config router static
edit 0
set device port1
set dst 0.0.0.0/0
set gateway <ip-gateway>
next
end

Substitute your own desired FortiAuthenticator IP address and default gateway. This will give you access to the GUI
through the specified IP address.
For more information on FortiAuthenticator initial setup, see the FortiAuthenticator Administration Guide in the Fortinet
Document Library.
System settings
Once the initial setup of the FortiAuthenticator is complete, further configuration can be performed through the GUI.
DNS
To enable resolution of the FortiGuard network and other systems such as NTP servers, set your DNS to your local or
ISP nameserver configuration via Network > DNS.
Configure the FQDN
You can configure the FQDN for the FortiAuthenticator from the System Information widget in System > Dashboard.
Click the edit icon next to Device FQDN to open the Edit Device FQDN window, enter a name for Fully qualified domain
name, and click OK.
Configuring the remote LDAP authentication server
To configure a new remote authentication server pointing to the Windows Active Directory:
1. Go to Authentication > Remote Auth. Servers > LDAP and select Create New.
The Create New LDAP Server window opens.
2. In the Create New LDAP Server window:
a. Enter a name, IP address, and port for the LDAP server.
b. In the Base distinguished name field, enter the full base dn for the LDAP server in the format:
DC=example,DC=com.
c. Select the Bind type as Regular, and enter a username and password.
d. In the Query Elements pane, select Group attribute for the Obtain group memberships from toggle, and keep
the default values for the following fields:
i. User object class
ii. Username attribute
iii. Group object class
iv. Group membership attribute
e. Enable Secure Connection, and select either the LDAPS or STARTTLS protocol.

3. Click OK to save changes to the LDAP server.
To import remote LDAP users:
1. In the LDAP tab, under Remote Auth. Servers, select the LDAP server that you created and click Edit.
2. In the Remote LDAP Users pane, select Import users from the Username dropdown and click Go.
The Import Remote LDAP Users window opens.
3. In the Import Remote LDAP Users window, select your users and click OK to import.
Importing remote LDAP users may take time depending on the number of users being
imported.
4. Click OK to save changes.
Importing a remote LDAP user and registering a token
Registering FortiToken
In order to test two-factor authentication, a token is required. The configuration instructions included in this guide use
FortiToken.
For security reasons, a token can only be automatically registered from the FortiGuard
network a single time. If you need to register it a subsequent time, please contact Fortinet
support.

To register a FortiToken:
1. Go to Authentication > User Management > FortiTokens, and select Create New.
2. Select the Token type and enter the FortiToken Serial number or Activation code. Click OK.
Once registered, tokens will be displayed with an Available status.
To edit an imported remote LDAP user to use two-factor authentication:
1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, and double-click a
user to edit it.
2. Go to the User Information pane and enter an email address.
The email address will be used for FortiToken mobile activation.
3. Enable One-Time Password (OTP) authentication, and select Deliver token code by FortiToken Mobile.
Select FortiToken Mobile added earlier from the relevant dropdown menu.
4. Set the Activation Delivery method to Email.
The activation information is sent to the user via the email address provided here.
5. Click OK to save changes to the remote user.
An activation email is sent to the email address specified in the Email field under the User Information pane.
6. Open the email to complete the activation and install the token to the FortiToken Mobile app.
To import remote LDAP users, see Importing remote LDAP users.
Creating a realm for the remote LDAP server
To create a realm for the remote LDAP authentication server:
1. Go to Authentication > User Management > Realms, click Create New.

2. Enter a name for the realm.
The realm name may only contain letters, numbers, periods, hyphens, and underscores. It
cannot start or end with a special character.
3. Select the previously created remote LDAP server for the realm from the User source dropdown.
See Configuring the remote LDAP authentication server on page 7.
4. Click OK to create the new realm.

Configuring SAML settings
The following section includes information on how to configure the FortiAuthenticator as the SAML IdP. In addition to the
IdP settings, SAML SP settings must be configured on the FortiAuthenticator for each SAML SP device.
This section includes the following instructions:
1. Configuring FortiAuthenticator as an identity provider (IdP) on page 10
2. Configuring FortiAuthenticator SP settings on page 11
Configuring FortiAuthenticator as an identity provider (IdP)
To configure FortiAuthenticator as the SAML IdP:
1. Go to Authentication > SAML IdP > General.
Device FQDN can be configured from the System Information widget in System
> Dashboard > Status. See Configure the FQDN on page 7.
2. Enable SAML Identity Provider portal, and enter the following information:
l Server address: Enter the device FQDN or the IP address of the IdP FortiAuthenticator.
Here the Server address is fac.fortidemo.fortinet.com.

l Username input format: Select the default username input format.
The default is username@realm.
l Realms: Select the LDAP realm created earlier.
Optionally, for group filtering, enable Filter, click the pen icon to edit, select groups from the Available User
Groups search box, and click OK.
l Default IdP certificate: Select a certificate to use in your SAML configuration.
The certificate is used in the https connection to the IdP portal.
3. Click OK to complete.
Once the IdP has been configured, you can proceed with setting up the service provider(s) of your choice.
In addition to configuring the SAML IdP settings, you will also need to select and export the default IdP certificate for use
on the service providers.

To export the IdP certificate:
1. Go to Certificate Management > End Entities > Local Services.

2. Select the certificate used in the SAML IdP and click Export Certificate.
Configuring FortiAuthenticator SP settings
In order to complete the following configuration, you will need to configure the SAML settings on the SP device at the
same time. This is because some fields including the SP entity ID, SP ACS URL, and SP SLS URL are only available
when configuring the SAML settings on the SP device.
To configure service provider settings on the FortiAuthenticator:
1. Go to Authentication > SAML IdP > Service Providers, and click Create New.
2. Enter the following information:
l SP name: Enter a name for the SP device. Here, the SP name is Enterprise Core.
l IDP prefix: Select +, enter an IdP prefix in the Create Alternate IdP Prefix dialog, and click OK. Here, the IdP
prefix is ztna.
l Server certificate: Select the same certificate as the default IdP certificate used in Authentication
> SAML IdP > General.

l Enable Participate in single logout to send logout requests to this SP when the user logs out from the IdP.
l Authentication method: Select an authentication method. Here, Every configured password and OTP factors
is selected.
3. Click Save.
4. The details for following settings are available when configuring the service provider device (e.g. FortiAnalyzer or
FortiGate).
l SP entity ID: For instance, here, the SP entity ID-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/metadata/.
l SP ACS (login) URL: For instance, here, the SP ACS (login) URL-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/login/.
l SP SLS (logout) URL: For instance, here, the SP SLS (logout) URL-
https://entcore.fortidemo.fortinet.com:20443/ztna/saml/logout/.
SP entity ID, SP ACS (login) URL, and SP SLS (logout) URL must match their respective
configurations on the service provider device side, e.g., FortiGate.
See Creating a new SAML user and server on page 14.
5. Click OK.

6. Select and click Edit to edit the recently created SP.

7. In Assertion Attributes, select Add Assertion Attribute:
a. Enter a name for the SAML attribute.
b. Select Username from the User attribute dropdown.
In the setup above:

l entcore.fortidemo.fortinet.com- FQDN that resolves to the FortiGate SP.
l 20443- Port used to map FortiGate SAML SP service.
l /ztna/saml- Custom user defined fields.
l /metadata, /login, /logout- Standard convention used to identify the SP entity, login, and logout
portal.

FortiGate
FortiGate
Before proceeding, ensure that system settings are up to date. See System settings on page
7.
The FortiGate appliance is the Gateway to your network, therefore, securing remote access, whether to the appliance
itself (administration) or the network behind it (VPN), is critical.
FortiOS supports native two-factor authentication using FortiToken, however, to use two-factor authentication on
multiple FortiGate devices, you should use a FortiAuthenticator to enable strong authentication.
SAML is used for exchanging authentication and authorization data between an identity provider (IdP) and a service
provider (SP), such as Google Apps, Office 365, and Salesforce. FortiAuthenticator can be configured as an IdP,
providing trust relationship authentication for unauthenticated users trying to access an SP.
One advantage of SAML authentication is that two-factor authentication can be provided by the SAML Identity Provider
(IdP).
This chapter demonstrates using FortiAuthenticator as the IdP and applying 2FA to user authentication for remote users
accessing Web, RDP, and SSH resources over the Zero-trust network access (ZTNA) Access Proxy.
Topology
In this topology, FortiAuthenticator integrates with Active Directory on the Windows Domain Controller, which is also
acting as the EMS server. Users are sync’d from the AD to FortiAuthenticator, and the remote users are configured with
token-based authentication. SAML authentication is configured on the FortiGate, pointing to the FortiAuthenticator as
the SAML IdP. The SAML server is applied to the ZTNA Access Proxy authentication scheme and rule to provide the
foundation for applying user authentication on individual ZTNA rules.
On the FortiGate, a SAML user is used to define the SAML SP and IdP settings. The SAML user is then applied to the
ZTNA proxy using authentication scheme, rule and settings.
For end users to reach the FortiGate SP’s captive portal, a ZTNA server is created to access the SAML SP service.
Finally, the SAML user needs to be added to a ZTNA rule to trigger authentication when accessing the ZTNA access
proxy.
This chapter assumes that the FortiGate EMS fabric connector is already successfully
connected.

FortiGate
To configure two-factor authentication using FortiAuthenticator:
1. Configuring FortiAuthenticator as a remote authentication LDAP server, importing remote LDAP user with 2FA, and
setting up a realm:
a. Configuring the remote LDAP authentication server on page 7
b. Importing a remote LDAP user and registering a token on page 8
c. Creating a realm for the remote LDAP server on page 9
2. Configuring a SAML IdP and a service provider:
a. Configuring FortiAuthenticator as an identity provider (IdP) on page 10
b. Configuring FortiAuthenticator SP settings on page 11
3. Configuring the FortiGate SAML related settings:
a. Creating a new SAML user and server on page 14
b. Applying the SAML server to proxy authentication on page 15
c. Configuring ZTNA access proxy to allow SAML authentication requests to SP on page 16
d. Configuring VIP and firewall policy to forward IdP authentication traffic to FortiAuthenticator on page 18
Also, see the example implementations.
Creating a new SAML user and server
To create a new SAML user and server from the CLI:
1. Enter the following commands to create a SAML user object:

config user saml
edit "su-ztna"
set cert "FortiDemo"
set entity-id "https://entcore.fortidemo.fortinet.com:20443/ztna/saml/metadata/"
set single-sign-on-url
"https://entcore.fortidemo.fortinet.com:20443/ztna/saml/login/"
set single-logout-url
"https://entcore.fortidemo.fortinet.com:20443/ztna/saml/logout/"
set idp-entity-id "http://fac.fortidemo.fortinet.com/saml-idp/ztna/metadata/"
set idp-single-sign-on-url "https://fac.fortidemo.fortinet.com/saml-
idp/ztna/login/"
set idp-single-logout-url "https://fac.fortidemo.fortinet.com/saml-
idp/ztna/logout/"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set digest-method sha1
next
end
In the above CLI commands:

l The cert FortiDemo is a local certificate is used to sign SAML messages exchanged between the client and
the FortiGate SP. In this case, it is used to sign entcore.fortidemo.fortinet.com.
l The cert REMOTE_Cert_1 is a remote certificate used to identify the IdP, which in this case is
fac.fortidemo.fortinet.com.

FortiGate
l The URLs used in the SAML user settings are the same ones defined on the FortiAuthenticator. See
Configuring FortiAuthenticator SP settings on page 11.
2. Enter the following commands to add the SAML user object to a new user group:
config user group
edit "ztna-users"
set member "su-ztna"
next
end
Applying the SAML server to proxy authentication
To apply the SAML server to proxy authentication:
1. Enter the following commands to apply the SAML server to an authentication scheme:
config authentication scheme
edit "saml-scheme"
set method saml
set saml-server "su-ztna"
next
end
2. Enter the following commands to apply the authentication scheme to an authentication rule:
config authentication rule
edit "saml-rule"
set srcintf "any"
set srcaddr "all"
set ip-based disable
set active-auth-method "saml-scheme"
set web-auth-cookie enable
next
end
3. Enter the following command to configure the active-auth-scheme and the captive portal:
config firewall address
edit "entcore.fortidemo.fortinet.com"
set type fqdn
set fqdn "entcore.fortidemo.fortinet.com"
next
end
config authentication setting
set active-auth-scheme "saml-scheme"
set captive-portal "entcore.fortidemo.fortinet.com"
end
The captive portal is used to serve the login page for the SAML requests.

FortiGate
Configuring ZTNA access proxy to allow SAML authentication

requests to SP
Besides configuring the captive portal in the proxy authentication settings, you must also
publish the SAML SP URLs through the ZTNA access proxy.
To configure the ZTNA server:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Click Create New.
The New ZTNA Server window opens.
3. In the New ZTNA Server window, enter the following information:
l Name: Enter a name for the server. Here, the Name is ZTNA-access.
l Service: The service is already set to HTTPS.
l External interface: From the dropdown, search for an external interface. Here any is selected.
l External IP: Enter an external IP address.
l External port: Enter an external port number. Here, the External port is 20443.
l Default certificate: From the dropdown, search for a default certificate. Here the Default certificate is
FortiDemo.
4. Click OK to continue.
To map the access-proxy configurations to the SAML server from the CLI:
config firewall access-proxy

edit "ZTNA-access"
config api-gateway

FortiGate
edit 1
set service samlsp
set saml-server "su-ztna"
next
end
next
end
To define the ZTNA rule to allow access to the ZTNA server:
1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
2. Click Create New.
The New ZTNA Rule window opens.
3. In the New ZTNA Rule window, enter the following information:
l Name: Enter a name for the rule. Here, the Name is ZTNA-Rule.
l Source (Address): Select a source address. Here, the Source(Address) is all.
l Source (User): Select a user source. Here, the Source(User) is ztna-users.
l ZTNA Server: From the dropdown, select the ZTNA server. Here, the ZTNA Server is the previously created
server ZTNA-access.
l Action: Select an action. Here, Accept is selected.
To define a firewall policy to forward traffic to the Access Proxy VIP:
1. Go to Policy & Objects > Firewall Policy and click Create New.
The New Policy window opens.

FortiGate
2. In the New Policy window, enter the following information:

l Name: Enter a name for the firewall policy. Here, the policy name is ZTNA Policy.
l ZTNA: Enable ZTNA and select Full ZTNA.
l Incoming Interface: Select an incoming interface. Here, any is selected.
l Source: Select a source. Here, all is selected.
l ZTNA Sever: Select a ZTNA server. Here, the previously created ZTNA-access server is selected.
l Schedule: From the dropdown, set the schedule. The schedule is set to always.
l Service: Select a service. The service is set as ALL.
l Action: Select an action. The action is set as Accept.
l NAT: Enable and select NAT.
Configuring VIP and firewall policy to forward IdP authentication

traffic to FortiAuthenticator
Remote clients connect to the FortiAuthenticator IdP behind the FortiGate using a VIP. Here, users connect to the FQDN
fac.fortidemo.fortinet.com, which resolves to the external IP address of the VIP.

FortiGate
To configure VIP to forward traffic to FortiAuthenticator:
1. Go to Policy & Objects > Virtual IPs.

2. From the Create New dropdown, select Virtual IP.
The New Virtual IP window opens.
3. In the New Virtual IP window, enter the following information:
l VIP type: Select IPv4.
l Name: Enter a name for the Virtual IP. Here, the name is FortiAuthenticator.
l Interface: Select an interface. The interface used here is any.
l External IP address: Enter an external IP address.
l Map to IPv4 address/range: Enter the IPv4 address/range to map to.
l Port Forwarding: Enable port forwarding.
l Protocol: Select a protocol. Here, TCP is selected.
This field appears only when Port Forwarding is enabled.
l External service port: Enter an external service port. Here, the port is 443.
l Map to IPv4 port: Enter an IPv4 port to map to. Here, the port is 443.
To configure a firewall policy to allow VIP:
1. Go to Policy & Objects > Firewall Policy and click create new.
The New Policy window opens.
2. In the New Policy window, enter the following information:
l Name: Enter a name for the firewall policy. Here, the policy name is WAN to FAC.
l ZTNA: Disable ZTNA.
l Incoming Interface: Select an incoming interface. Here, any is selected.
l Outgoing Interface: Select an outgoing interface. Here, any is selected.

FortiGate
l Source: Select a source. Here, all is selected.

l Destination: Select a destination. Here, the destination is FortiAuthenticator. See Configuring VIP and firewall
policy.
l Schedule: From the dropdown, set the schedule. The schedule is set to always.
l Service: Select a service. The service is set as ALL.
l Action: Select an action. The action is set as Accept.
l NAT: Disable NAT.
l Click OK to save changes.
This completes the authentication settings for FortiGate to provide SAML two-factor authentication.
Examples
1. Applying SAML and 2FA to ZTNA HTTPS access proxy example on page 21
2. Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP connections example on page 23

FortiGate
3. Applying SAML and 2FA to a ZTNA SSH access proxy example on page 25
Applying SAML and 2FA to ZTNA HTTPS access proxy - example
In this HTTPS access proxy example, two real servers are implemented with round robin load balancing performed
between them.
The HTTPS access proxy is configured on the same ZTNA server as was configured in the authentication step. The
same ZTNA rule and firewall policy also apply. See Configuring ZTNA access proxy to allow SAML authentication
requests to SP on page 16.
To configure the ZTNA server for HTTPS access proxy with load balancing:
1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
2. Edit the ZTNA-access server.
3. In the Service/server mapping table, click Create New:
a. Set Virtual Host to Any Host.
b. In the Servers table click Create New:
i. Set IP to 10.100.77.200.
ii. Set Port to 443.
iii. Set Status to Active.
iv. Click OK.
c. Create a second server with IP 10.100.77.202.
d. Click OK.
4. Click OK.
The default load balancing algorithm is round-robin.
Testing and verification:
From the remote endpoint, user John Locus attempts to connect to the Finance server over ZTNA:
1. On the remote Windows computer, open FortiClient and register to the EMS server.
2. Open a browser and attempt to connect to the web server at https://ztna.fortidemo.fortinet.com:20443.
3. Device authentication prompts the user for their device certificate. Select the certificate issued by EMS and click
OK.
4. FortiGate receives the SAML request and redirects the user to the IdP login screen. Enter the username and
password for John Locus and click Login.
5. A second prompt opens asking for the Token Code. Enter the code then click Verify.
6. The FortiAuthenticator IdP verifies the login, then sends the SAML assertion back to the user.
7. The browser redirects the assertion to the FortiGate SP, which decides if the user is allowed access.
8. On a successful log in, FortiGate redirects the user to the web page that they are trying to access.
Logs and debugs:
On the FortiGate, a successful connection can be seen in Log & Report > Forward Traffic log, or by using the CLI:
# execute log filter category 0
# execute log filter field srcip 10.100.66.103
# execute log display

FortiGate
...
1: date=2021-08-25 time=23:34:15 eventtime=1629959656098675227 tz="-0700"
logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root"
srcip=10.100.66.103 srcport=51341 srcintf="port1" srcintfrole="wan"
dstcountry="Reserved" srccountry="Reserved" dstip=10.100.77.202 dstport=443
dstintf="root" dstintfrole="undefined" sessionid=3396047 srcuuid="d8dd134a-0517-51ec-
2ff0-3032b84564e7" service="HTTPS" proto=6 action="accept" policyid=1
policytype="proxy-policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b"
policyname="ZTNA-Rule" duration=16 user="johnlocus" group="ztna-users" wanin=2837
rcvdbyte=2837 wanout=1495 lanin=2581 sentbyte=2581 lanout=5505 appcat="unscanned"
2ff0-3032b84564e7" service="HTTPS" proto=6 action="accept" policyid=1
policytype="proxy-policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b"
policyname="ZTNA-Rule" duration=5 user="johnlocus" group="ztna-users" wanin=2837
rcvdbyte=2837 wanout=1546 lanin=1576 sentbyte=1576 lanout=1033 appcat="unscanned"
...
2ff0-3032b84564e7" service="tcp/20443" proto=6 action="accept" policyid=41
policytype="policy" poluuid="256d6bd8-0518-51ec-7b6a-18df00b82da3" policyname="ZTNA
Policy" duration=1 user="johnlocus" authserver="su-ztna" wanin=0 rcvdbyte=0 wanout=0
lanin=14246 sentbyte=14246 lanout=993 appcat="unscanned"
Log number four shows that the session was first allowed through the ZTNA firewall policy. Log numbers one and two
show the traffic allowed through the ZTNA proxy-policy over two successive sessions. Note that they have different
destination IP addresses (dstip), indicating that ZTNA was performing server load balancing.
Use the following command to show if the FortiGate's WAD process has an active record of the SAML user login:
# diagnose wad user list
ID: 6, VDOM: root, IPv4: 10.100.66.103

user name : johnlocus
worker : 0
duration : 611
auth_type : Session
auth_method : SAML
pol_id : 1
g_id : 3
user_based : 0
expire : 283
LAN:
bytes_in=38016 bytes_out=16166
WAN:

FortiGate
Applying SAML and 2FA to a ZTNA TCP forwarding access proxy for RDP
connections - example
In this TCP forwarding access proxy example, RDP connections are allowed to be forwarded to the Windows/EMS
server.
Traffic to TCP/3389 is allowed through the ZTNA proxy.
To configure the ZTNA server for TCP forwarding on TCP/3389:
1. Create a firewall address for the Windows/EMS server:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following:
Name EMS-Server
Type Subnet
IP/Netmask 10.100.88.5/32
Interface any
c. Click OK.
2. Add new server mappings to the existing access proxy configurations:
edit "ZTNA-access"
config api-gateway
edit 3
set url-map "tcp"
set service tcp-forwarding
config realservers
edit 1
set address "EMS-Server"
set mappedport 3389
set type tcp-forwarding
next
end
next
end
next
end
Testing and verification
On the remote endpoint, manually configure ZTNA connection rules to forward RDP traffic to the ZTNA access proxy.
The rules can also be pushed from the EMS server; for details see Provisioning ZTNA TCP forwarding rules via EMS.
To configure the ZTNA connection rule:
1. On the remote Windows computer, open FortiClient.

2. Register to the EMS server.
3. On the ZTNA Connection Rules tab, click Add Rule to add a TCP forwarding rule.

FortiGate
4. Configure the following:
Rule Name RDP-server
Destination Host 10.100.88.5:3389
Proxy Gateway ztna.fortidemo.fortinet.com:20443
Mode Transparent
Encryption Disabled
Encryption can be enabled or disabled. When it is disabled, the client to
access proxy connection is not encrypted in HTTPS. Because RDP is
encrypted by default, disabling Encryption does not reduce security.
5. Click Create.
To connect over RDP:
1. On the remote PC, open a new RDP connection.

2. Enter the IP address 10.100.588.5. By default, RDP session use port 3389.
When the connection to the ZTNA access proxy is established, FortiGate will redirect the SAML login request to the
FortiAuthenticator IdP.
A FortiClient prompt will open with the FortiAuthenticator login screen.
3. Enter the username and password then click Login.
4. A second prompt opens asking for the Token Code. Enter the code from your FortiToken app, then click Verify.
5. FortiAuthenticator verifies the token code, determines if the login is successful, then sends the SAML assertion
back to the client.
6. The client redirects the response back to the FortiGate SP.
7. If the log in was successful, the user can now log on to the RDP session.
Logs and debugs
#execute log filter category 0
...
2ff0-3032b84564e7" service="RDP" proto=6 action="accept" policyid=1 policytype="proxy-
policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b" policyname="ZTNA-Rule"
duration=8 user="johnlocus" group="ztna-users" wanin=0 rcvdbyte=0 wanout=0 lanin=1444
sentbyte=1444 lanout=665 appcat="unscanned"

FortiGate

#diagnose wad user list
ID: 6, VDOM: root, IPv4: 10.100.66.103

worker : 0
duration : 611
auth_type : Session
auth_method : SAML
pol_id : 1
g_id : 3
user_based : 0
expire : no
LAN:
WAN:
Applying SAML and 2FA to a ZTNA SSH access proxy - example
In this SSH access proxy example, SSH connections can be forwarded to the web server.
To configure the ZTNA server for SSH access proxy:
1. Create a firewall address for the web server:

a. Go to Policy & Objects > Addresses and click Create New > Address.
b. Configure the following:
Name Web-Server1
Type Subnet
IP/Netmask 10.100.77.101/32
Interface any
c. Click OK.
2. Add new server mappings to the existing access proxy configurations:
edit "ZTNA-access"
config api-gateway
edit 3
config realservers

FortiGate
edit 1
set address "Web-Server1"
set mappedport 22
set type ssh
next
end
next
end
next
end
Testing and verification
On the remote endpoint, manually configure ZTNA connection rules to forward SSH traffic to the ZTNA access proxy.
The rules can also be pushed from the EMS server; for details see Provisioning ZTNA TCP forwarding rules via EMS.
To configure the ZTNA connection rule:
1. On the remote Windows computer, open FortiClient.

2. Register to the EMS server.
3. On the ZTNA Connection Rules tab, click Add Rule to add a TCP forwarding rule.
4. Configure the following:
Rule Name SSH-webserver
Destination Host 10.100.77.101:22
Proxy Gateway ztna.fortidemo.fortinet.com:20443
Mode Transparent
Encryption Disabled
5. Click Create.
To connect over SSH:
1. On the remote PC, open a new SSH connection.

2. Enter the host root@10.100.77.101 on port 22.
When the connection to the ZTNA access proxy is established, FortiGate will redirect the SAML login request to the
FortiAuthenticator IdP.
A FortiClient prompt will open with the FortiAuthenticator login screen.
3. Enter the username and password then click Login.
4. A second prompt opens asking for the Token Code. Enter the code from your FortiToken app, then click Verify.
5. FortiAuthenticator verifies the token code, determines if the login is successful, then sends the SAML assertion
back to the client.
6. The client redirects the response back to the FortiGate SP.
7. If the log in was successful, the user can now log on to the SSH session.
Logs and debugs

FortiGate
# execute log filter category 0

...
2ff0-3032b84564e7" service="SSH" proto=6 action="accept" policyid=1 policytype="proxy-
policy" poluuid="256bb090-0518-51ec-f431-5dcc0baa725b" policyname="ZTNA-Rule"
duration=1 user="johnlocus" group="ztna-users" wanin=39 rcvdbyte=39 wanout=0 lanin=1444
sentbyte=1444 lanout=726 appcat="unscanned"

# diagnose wad user list
ID: 6, VDOM: root, IPv4: 10.100.66.103

worker : 0
duration : 192
auth_type : Session
auth_method : SAML
pol_id : 1
g_id : 3
user_based : 0
expire : 475
LAN:
WAN:

FortiManager
FortiManager
Before proceeding, ensure that you have configured SAML settings on the FortiAuthenticator.
See Configuring SAML settings on page 10.
To configure FortiManager as a service provider:
1. Create a FortiManager administrator account.

2. Configure FortiManager as the SAML SP.
3. Review results.
Create a FortiManager administrator account
Create an administrator account on FortiManager that matches a user on the FortiAuthenticator.
To create an administrator account on FortiManager:
1. Go to System Settings > Admin > Administrators, and click Create New.
2. Configure the administrator account settings, and click OK.
Configure the FortiManager as an SP
To configure the FortiManager as a service provider:
1. Go to System Settings > Admin > SAML SSO.

2. In the Single Sign-On Settings window, Select Service Provider (SP) as the Single Sign-On Mode.
l Server Address: Enter the IP address of the FortiManager.
l Default Login Page: Select Normal.
l IdP Type: Select Fortinet.
l IdP Address: Enter the IP address of the IdP FortiAuthenticator.
l Prefix: Enter the prefix that was created during SP configuration on FortiAuthenticator.
l IdP Certificate: Import and select the certificate that was chosen during FortiAuthenticator setup.
4. Select OK.
The following settings are required for service provider configuration on FortiAuthenticator.
l SP Entity ID
l SP ACS (Login) URL
l SP SLS (Logout) URL

FortiManager
Results
When the administrator visits the SP IP address of FQDN, they will see an additional option on the login screen to sign in
using SSO.

FortiAnalyzer
FortiAnalyzer
Before proceeding, ensure that you have configured SAML settings on the FortiAuthenticator.
See Configuring SAML settings on page 10.
To configure FortiAnalyzer as a service provider:
1. Create a FortiAnalyzer administrator account.

2. Configure the FortiAnalyzer as a SAML SP.
3. Review results.
Create a FortiAnalyzer administrator account
Create an administrator account on FortiAnalyzer that matches a user on the FortiAuthenticator.
To create an administrator account on FortiAnalyzer:
1. Go to System Settings > Admin > Administrators, and click Create New.
2. Configure the administrator account settings, and click OK.
Configure the FortiAnalyzer as a SAML SP
In order to complete the following configuration, you will need to simultaneously configure the SAML SP settings on the
FortiAuthenticator. This is because some fields required for configuring SP settings on the FortiAuthenticator are only
available when configuring the SAML settings on the FortiAnalyzer.
See Configuring FortiAuthenticator SP settings on page 11.
To configure the FortiAnalyzer as a service provider:
1. Go to System Settings > Admin > SAML SSO.

2. Select Service Provider (SP) as the Single Sign-On Mode.
l Server Address: Enter the IP address of the FortiAnalyzer.
l Default Login Page: Select Normal.
l IdP Type: Select Fortinet.
l IdP Address: Enter the IP address of the IdP FortiAuthenticator.
l Prefix: Enter the prefix that was created during SP configuration on FortiAuthenticator.
l IdP Certificate: Import and select the certificate that was chosen during FortiAuthenticator setup.

FortiAnalyzer
4. Select OK.
Make note of the following settings, as they are required during SP configuration on
FortiAuthenticator.
l SP Entity ID
l SP ACS (Login) URL
l SP SLS (Logout) URL
Results
When the administrator visits the SP IP address of FQDN, they will see an additional option on the login screen to sign in
using SSO.

Third-party Service Provider
Third-party Service Provider
After completing FortiAuthenticator setup, please consult the vendor's documentation for information about configuring
your third-party device as a SP.
Most third-party SP configurations require the following information:
l A public certificate from the IdP to validate signature.
The signature is stored on the SP side and used when a SAML response arrives.
l The ACS URL from the SP where SAML responses are posted.
l The IdP Sign-in URL where SAML requests are posted.

www.fortinet.com
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiAuthenticator-6.4.0-SAML 2FA Interoperability Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiAuthenticator-6.4.0-SAML 2FA Interoperability Guide

Uploaded by

Copyright:

Available Formats

SAML 2FA Interoperability Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

January 10, 2022

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 3

Date Change Description

2022-01-10 Initial release.

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 4

About this Guide

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 5

To configure basic settings using the CLI:

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 6

Configure the FQDN

Configuring the remote LDAP authentication server

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 7

3. Click OK to save changes to the LDAP server.

To import remote LDAP users:

4. Click OK to save changes.

Importing a remote LDAP user and registering a token

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 8

To edit an imported remote LDAP user to use two-factor authentication:

Creating a realm for the remote LDAP server

To create a realm for the remote LDAP authentication server:

1. Go to Authentication > User Management > Realms, click Create New.

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 9

Configuring SAML settings

Configuring FortiAuthenticator as an identity provider (IdP)

To configure FortiAuthenticator as the SAML IdP:

1. Go to Authentication > SAML IdP > General.

Here the Server address is fac.fortidemo.fortinet.com.

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 10

To export the IdP certificate:

1. Go to Certificate Management > End Entities > Local Services.

Configuring FortiAuthenticator SP settings

To configure service provider settings on the FortiAuthenticator:

> SAML IdP > General.

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 11

6. Select and click Edit to edit the recently created SP.

In the setup above:

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 12

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 13

To configure two-factor authentication using FortiAuthenticator:

Creating a new SAML user and server

To create a new SAML user and server from the CLI:

1. Enter the following commands to create a SAML user object:

In the above CLI commands:

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 14

Applying the SAML server to proxy authentication

To apply the SAML server to proxy authentication:

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 15

Configuring ZTNA access proxy to allow SAML authentication

To configure the ZTNA server:

l Service: The service is already set to HTTPS.

l External IP: Enter an external IP address.

config firewall access-proxy

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 16

To define the ZTNA rule to allow access to the ZTNA server:

To define a firewall policy to forward traffic to the Access Proxy VIP:

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 17

2. In the New Policy window, enter the following information:

Configuring VIP and firewall policy to forward IdP authentication

FortiAuthenticator 6.4.0 SAML 2FA Interoperability Guide 18