Hey everybody. Today we're going to be looking at SAML
and using SAML to authenticate
with Entra ID on a Fortigate. If you're new here I'm Gregabyte and
I talk all things networking and security. And right now
I've been focusing a lot on Fortigate. Recently I was talking with a customer
who's used, SAML for their SSL VPN but were interested in enabling it
for their security fabric. but right now,
they're utilizing the IDP feature and wanted to, move
that to an external IDP up in Entra ID. So they wanted to make that switch,
but weren't certain how that was going to play out. I dug into some of the docs. It wasn't entirely clear, and I figured I had all the parts,
so I'd put it together. and I want to take you along with me. When we were discussing this,
a big thing that came in mind for this client as well as myself, was, how is it going to react if,
connection to SAML goes down? Say the internet just goes down. I need to get into the Fortigate locally. if I tried to force
everything up into SAML and have it be completely SSO seamless,
how do I have that fallback if connection breaks? So I dug into that. We'll talk about that. as well as how to just make things
a little easier. For this I'm using my Fortigate 60F
and I'm running 7.2.8 on FortiOS. So I'm here inside of my 60F. I've got, security
fabric and fabric connectors open. I'm going to get a security fabric setup and I don't have myself set up in
any sort of security fabric, so I'll keep myself in standalone mode, and I'm going to get
a single sign on settings, and we're
going to be using service provider because we want to send it off
to somebody else. So for SP address, I'm just going to leave this to my local
IP address. you can add that to something else. but that's what I'm going to do. We're not going to use, certificate
because Entra ID or Azure AD you know, doesn't use that. I am going to keep the normal login page, which is going to start me
at the Fortigate. And I can show you the difference
between that and the single sign on as we go along. I will swap over
super_admin to admin_no_access. that is going to actually deny me access
and require that somebody give me access. after logging in for the first time. it's good for initial login. so that way we can kind of
monitor that type of access. So within here, I can drop down my SP details
and the IDP settings. Here we are going to go custom. I'll have to import a certificate. and then we'll have to verify
these different, line items here. So I'm going to keep this open
and we'll swap over to, Azure AD, Entra ID. we've got enterprise applications. We're going to start a new application. And I'm going
to create my own application. And we'll just call
this Azure-SAML-FortiGate-Login. And we'll hit create. So I'm just going to follow along here. Will assign user to this. Then we'll go to single sign on. We'll select SAML We'll edit this basic configuration. And the entity ID. The reply URL is going to be the ACS Sign on URL. And the sign out. We’ll hit save. We’ll test in a little bit here,
but we first want to add in a different attribute. So we'll add a new claim. That's going to be username. And this will be user.userprincipalname. We'll save. And then we can go back. And the last thing we need to do
inside of here is first download the base64 certificate. And then we're going to copy over this
login URL and try identifier and logout URL. And there in a little bit of a different
setup than what we've got in here. So I'll paste these in. The identifier. And logout. And then for the certificate
we're going to have to import one. So we'll select
the one we just downloaded. And import it. It'll first show up as just remote cert one or remote cert
whatever number. and I'll show you in a second
how to rename that. Select it. Select okay. And now that should be set up. So to test that out
we'll go over to my user account. And we'll refresh this. So we see a sign in with security fabric or login locally with username. So I can do either
I'm going to sign in with security fabric. I'm already logged in
so I didn't get any type of login page. just got. Hey. And I saw administrator account
has been created for greg@gregabyte.io, and it's got restricted access. it needs to get granted. So I'll select sign out. I'll go back to my other window. If I go to system administrators, I'll see that greg@gregbayte.io
has been created with admin no access. So we'll double click into him
and change his access over to a super admin. And now that we've got that, we can swap back over. And if I try to log in with security
fabric this time, I should get logged in and have full rights. All right. There we go. full access in. Now we'll change over the default login
page from the normal Fortigate. Log in to the single sign on page. And if we hover over this little eye
here, we'll see that that is going to be the normal login page with a SSO option. Or automatically redirect to the IDPs
SSO login page. So we'll switch over to single sign on. Hit okay. And then we'll go back to our other window and refresh and get logged in. So now that I've gone to the IP address of my firewall,
I get sent over here automatically. We'll select greg@gregabyte.io. And again I'm logged in. But I never saw a login page for, Fortinet. So let's test out what happens
when I'm logged out of the firewall. Log in to something else with Microsoft. We'll just go to Office.com
and then eventually go over to my Fortigate again
and see what that process is like. So we can see that
I never saw a login page. It automatically, did the SAML magic
in the background and got me access
into the Fortigate automatically. So a big question for me
when I was looking into this was, how is this going to react
if and when the internet has outages. So I've switched it back to the normal log in,
which should always be fine, because there's always that option
to type in username. but we'll test that out first
and then we'll go back, flip it again back to single sign on
and see how it reacts. So we'll go and turn off my WAN 1. And now that I've lost access
to the internet, let's go try and log in again. And if we refresh this. We'll see. We still have the option of sign in
with security fabric. If we select that. This is obviously going to spin here because we can't connect over there,
which is what I would expect to happen. I'm more curious here as to what's going
to happen when we re-enable the SSO login. Will it fall back to give you the option
to log in locally? So if we go back to security fabric. I get this to be single sign on and select. Okay. Let's switch back over here. And attempt to log in. So we do see that
if we try and log in with SAML, just through the IP address, it's going
to try and push us over automatically. so your fallback option in this instance is to go to the IP
address and slash login. if you're using a port,
you'll still want to do that as well. But I've just got it on the default 443. That will give you the option to either
still sign in via SAML
or use a local username and password. So I'll use my fallback. And I can still get in. But that's why you would need to have
some type of local log in with a fallback. Hopefully with
you know that free FortiToken for MFA. So if I go and turn our internet back
on, we'll have to give it a minute. I'm sure. But if I log out here and go back to the login
page, let's see how that runs. So it looks like even when things are running fine,
you can always fall back to the login page if you need to use a local username
and password. using the default as the SSO log in
is going to automatically push you over. that is going to create
a much better user experience. Since
you won't have to click more buttons, and it may just be a seamless process
because you're already logged in. But it does run the risk
that if you're in an instance where you've lost access to SAML
or breaks, in some case you're going to have to remember
to fall back to the /login page. All right, so the last thing I'm going to do is quick
show you how to change the name
on the certificate that you uploaded. and the reason I do this is because I,
while testing this out, selected the wrong one because they were both named
very similar names. and that obviously breaks things. So if we go over to system certificates, we'll see
a whole bunch of different certificates. But down here, under a remote certificate,
you'll see that we've got the remote cert one. and it was remote cert
two for the other one. But I have since renamed it
to Azure_SAML_SSLVPN because I didn't
want to get confused again. You'll notice, though, that
we cannot actually edit the name of this certificate. So the way that we can do
that is going to be in the CLI. If we do “config vpn certificate remote” And we show we can see the two different certs
that we have here. what we can do is rename remote cert 1 to, and I'll name it, Azure_SAML_Admin_Login So now we can see I have them defined as an SSL
VPN certificate. And the admin login certificate. Now if I refresh this we'll see that that has been renamed. And if we go check back
inside of our fabric setup. We'll see that
it has renamed this certificate. So that's it. That's how you use SAML to log
into your Fortigate. And what to do
if potentially your connection goes down. I've linked some helpful articles
down below. So go check those out. And let me know
if there are use cases that I missed. Thanks again and we'll see you soon.
