This article describes how to troubleshoot FortiGate admin access configuration with Google SAML authentication.
Table of Contents
FortiGate will be acting as Service Provider (SP) and GOOGLE will be acting as Identity Provider (IdP).
SP: Who is providing the Service.
IdP: Who is doing Authentication.
FortiGate admin access SSO is part of the security fabric where the FortiGate can act as SP or IdP for SAML authentication.
In this scenario:
Get FortiGate admin access (SP) and use Google for authentication (IdP).
FortiGate admin access will be configured as SP because FortiGate resources are being accessed.
This configuration can be done from GUI or CLI.
Keep in mind that there are two spots for SAML configuration.
# config system saml <—– Is used as part of the security fabric for admin access.
# config user saml <—-– Is mainly used for SSL-VPN access.
# config system saml set status enable set role service-provider set default-login-page normal set default-profile "admin_no_access" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=TENANT_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=TENANT_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "IDP cert from Google" set server-address "Your_FGT_AdminAccess_IP_or_FQDN:port" end
Let’s go through # config system saml CLI settings:
Step 1: Enable it.
set status enable
Step 2: For the role use service-provider, as FortiGate provides the access to the resources.
set role service-provider
Step 3: For the default profile, only use admin_no_access profile, as in other cases it will be a bad idea to give all the Google SAML users super_admin account profile permissions.
set default-profile "admin_no_access"
Step 4: For the default login page, use normal, as it will allow choosing between regular login and SSO login.
set default-login-page normal
For example on the default login page, to use SAML authentication, it is only necessary to select the top Sign in with Security Fabrics or below for regular authentication enter the Username and Password.
Step 5: IdP links for entity-id, SSO URL, Single logout URL, and IdP cert are required.
set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "IDP cert from Google"
Step 6: The server addresses this field for the FortiGate IP/FQDN and the port number.
If it is different from 443, then it will be necessary to specify that port number.
If the default 443 port is used, then the server address will be dragon-armor.grakov.lab
If a custom port like 4443 is used, then the server address will be dragon-armor.grakov.lab:4443
Here are examples of configured templates.
Template for default port 443:
# config system saml set status enable set default-profile "admin_no_access" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "GOOGLE-IDP" set server-address "dragon-armor.grakov.lab" end
Template for the custom admin port 4443:
# config system saml set status enable set default-profile "admin_no_access" set idp-entity-id "https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID" set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid=MY_TENANT_ID" set idp-single-logout-url "https://accounts.google.com/logout" set idp-cert "GOOGLE-IDP" set server-address "dragon-armor.grakov.lab:4443" end
If SSL-VPN has been configured, the SSO URL, Single logout URL, Entity ID, and certificate of the Google IdP remain the same and will be used for the admin access configuration.
On the Google IdP side, it will be necessary to add another entry for the FortiGate Admin Access and test it out.
If SSL-VPN has not been configured, it is possible to view IdP details on admin.google.com and add proper values into the template for IdP fields.
Go to Security > Authentication > SSO with SAML applications, and it will be necessary to copy/paste into the template SSO URL, Entity ID and download the Certificate.
Import certificate from the Google IdP into the FortiGate.
Step 1: Go to System > Certificates > Import > Remote Certificate.
Step 2: In the Upload, section chooses the certificate downloaded from the Google IDP and select OK.
Step 3: To rename the certificate, open the CLI console:
# config certificate remote rename REMOTE_Cert_2 to GOOGLE-IDP end
Configure from CLI.
Copy and paste the preconfigured template into the FortiGate Firewall via CLI (SSH).
Because some links are containing a special character (GOOGLE IDP links containing ‘?’) and it is not possible to just copy/paste the SAML configuration, as it will break the link as a special character will be missing:
Via SSH (GUI CLI Console – do not do the trick and use SSH).
If the link has a value ‘?’ in the string, then to enter the value ‘?”’in the CLI, it will be necessary to press ‘Ctrl + V’ before entering ‘?’.
Here is an example:
set idp-entity-id “https://accounts.google.com/o/saml2?idpid=MY_TENANT_ID”
set idp-entity-id “https://accounts.google.com/o/saml2 <CTRL+V and use “?“> then copy/paste idpid=MY_TENANT_ID”
Correct missing characters fom GUI (It is possible to configure SAML in the GUI starting from FortiOS 7.0+) or just configure it from the GUI.
Go to Security Fabric > Edit Core Network Security > Single Sign-On Settings and make the proper changes in the strings that are missing characters.
Configure from GUI.
Step 1: Go to Security Fabric > Fabric Connectors > Core Network Security and select edit on Security Fabric Setup.
Step 2: In the Security Fabric Setting, to use SAML for FortiGate admin access, select Single Sign-On Settings.
Step 3: Depending on the requirement and on how to access FortiGate Admin Access via IP address or FQDN. By default, SAML SSO is Disabled.
Step 4: Select Service Provider (SP).
Step 5: In the SP address field correct the IP address or FQDN to use.
By default, it would use the current browser address connected to the FortiGate admin.
If it is accessed via IP address, this IP will be visible, and if it is accessed via FQDN, the FQDN address will be visible.
By default, Default admin profile is set to admin_no_access. Do not change it to a different one to do not allow any user from the IdP side to be administrator like super admin, etc.
Example with custom port 50000:
Configure the IdP side (Google).
Step 1: Once logged into the admin portal (admin.google.com), go to the Application, select the Web and mobile app, select Add app and choose the Add custom SAML app option.
Step 2: In Application details: Give App name and if required Description.
In this example: App name ‘DRAGON-ARMOR FortiGate Admin Access’ and select CONTINUE.
Step 3: In the Google Identity provider details, select CONTINUE as all the necessary links and certificates are already obtained.
Step 4: In the service provider details: copy and paste from the FortiGate ACS URL and Entity ID. ACS URL will be the same as single-sign-on-url.
Step 5: To view SP values there are two ways:
# config global # config system saml # get
Go to Security Fabric > Fabric Connectors > Core Network Security, select edit on Security Fabric Setup.
Select Single Sign-On Settings.
Select SP Details to view values.
Step 6: In attribute mapping details, add the proper mapping. Here is an example to use Primary Email as a username:
Step 7: Select FINISH.
Step 8: Once the configuration is done, the default action for the user access is off for everyone. Select user access and change the service status to ON for everyone and select SAVE.
Step 9: When the Admin user will try to log in the first time into the FortiGate unit, the message: An SSO administrator account has been created. ‘This account is using a restricted access profile with limited permissions. Additional permission must be granted by the device administrator will appear.
Step 10: Then it is necessary to login with the local admin and do the changes for the SAML admin.
Step 11: SAML admin will appear under the Single Sign-On Administrator with the default profile admin_no_access.
Step 12: After, it is necessary to assign the administrator the profile with proper permissions, for example, super_admin.
Step 13: Then try again with SSO SAML Admin.