Microsoft MFA login with Fortigate and Forticlient for SSLVPN

Since I am tired of being a beta tester for Cisco products. I decided to try a different firewall this time around for my company. I looked at both Fortigate and Palo Alto as they seemed to be the leaders in the market right now. I did a bake off for features/functionality vs cost and Fortigate came out as the winner. The firewall was implemented with minimal issues and has been working flawlessly for us. While we were on this project we are also in the process of moving to Azure AD so I decided to combine the Microsoft MFA with our new firewall/vpn solution to save ourselves some money since then we wouldn’t need another 2 factor solution.

I went through the documentation from Fortigate and Microsoft on setting up the SAML authentication and it was pretty good for the most part. Here was the main document that I followed to get everything setup:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
I did run into a few issues that I had to fix to get everything working with group memberships, so that users would be enabled to login based on their group and would have the correct policy applied to them.

Here are some things to be aware of and the changes I needed to make:

1. You must be on the 6.4.x code for Fortigate. There are issues with the lower code versions and SAML not working correctly or populating the tables with the necessary information.
2. Wipe out all of the extra entries under Users and Attributes Claims in Azure AD. This is all you should have:
UntitledImage
3. Here is the necessary configuration on the Fortigate side:
config user saml
edit “azure”
set cert “Fortinet_Factory”
set entity-id “https://XXXXXXX/remote/saml/metadata”
set single-sign-on-url “https://XXXXXX/remote/saml/login”
set single-logout-url “https://SSSSSSSS/remote/saml/logout”
set idp-entity-id “https://sts.windows.net/6XXXXXXX/”
set idp-single-sign-on-url “https://login.microsoftonline.com/XXXXX/saml2”
set idp-single-logout-url “https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”
set idp-cert “REMOTE_Cert_2”
set user-name “username”
set group-name “group”
next
end

After these changes everything worked perfectly, I am now in the process of rolling out our new vpn to the users in the company along with the Microsoft MFA client.

8 thoughts on “Microsoft MFA login with Fortigate and Forticlient for SSLVPN

  1. Tom January 13, 2021 / 2:14 am

    isn’t there an error in the AzureAD claims? For the group claims, its mentioned as groups but in the fortigate config,it’s defined as “group” without s ?

    Like

    • Joseph Jenkins January 13, 2021 / 5:14 am

      Nope that is correct. That’s why I put this together because the documentation isn’t correct from MS or Fortinet.

      Like

      • Tom January 13, 2021 / 5:21 am

        thanks for doing this but still, the “set group-name” should be “groups” if the claim for user.groups is defined as groups, no? How else will the fortigate know what the group identifier is, if “group” is used?
        Also, I am trying to do the same here. via web-vpn SAML to azureAD directly works (SSO without extra login) but when trying forticlient 6.4, I effectively get a azureAD login screen after which the vpn connection fails. (FortiOS runs 6.2, cannot upgrade to 6.4 on this production machine yet)

        Like

      • Joseph Jenkins January 13, 2021 / 5:25 am

        I tried both and only group worked. You have to be at 6.4 though, won’t work at 6.2. I spent days troubleshooting 6.2 and opened a ticket with Fortinet on it. There are a bunch of bugs with 6.2 and it won’t recognize the group or user attributes at 6.2. There is also a bug that if the tunnel does get established it will only allow one way traffic. To make this work you have to be at 6.4. I would wait to try until you can upgrade.

        Like

      • TOM January 13, 2021 / 5:29 am

        thanks for your reply, I am still triggered as it works almost perfect using the web ssl-vpn. I have also logged a ticket. We’ll see. thanks.

        Like

    • Joseph Jenkins June 26, 2021 / 7:04 am

      I never tried to login via that method. I was just using the FortiClient and doing the saml through that. I believe trying to use the fortigate as the saml client is a different configuration that I haven’t tried.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.