Integrating Entra ID with Fortigate SSO for Duo Validated Push
In the 4th and final part in the series, we’ll finish up configuring Entra ID and integrate it with Fortigate SSO and SSL VPN.
Option 2:
Using Entra ID as the IdP with Conditional Access Rules to Facilitate the Duo Push
My Environment:
- DUO Premier Trial Account
- Fortinet Fully Featured Demo Keys
- Windows 11 Client Computer with FortiClient
- Microsoft Azure Entra ID licensed with E3
The FortiClient is set up for Remote Access.
References:
https://duo.com/docs/azure-ca#create-the-duo-azure-ca-application
Steps:
- Now that we have Duo and Azure set up to partner on Authentication in Part 3, we will need to configure Microsoft Entra SSO to accept authentication requests via SAML from Fortigate. Lets log into the Entra ID admin center again and browse to Applications -> Enterprise Applications. We’ll need to add one to talk to Fortigate, so click “New Application” to add this functionality.
- When you add the new application, you will be presented with another screen in which the defaults are fine per below. Click Create.
- Now that the Enterprise App for Fortigate is created, we will need to make some configuration changes. To do so let’s click the 3 dots by Basic SAML Configuration to choose edit.
- To edit this part of the screen, we’ll have to be aware of our SSL VPN settings in Fortigate. Since my hostname and port is vpn.trescointegrations.com:4443, my work is mostly done. I can follow the Microsoft guidelines to configure the Basic SAML Configuration section for Fortigate. Make sure to Save when finished. See the illustration below.
- Now we have to edit the Attributes and Claims section. The defaults provided need to be changed. First we’ll add a new claim for username, then we’ll delete the default group claim and add another group claim specific to Fortigate. In the end, the Attributes and Claims section should look like the below.
- To create these additional claims:
- Next to User Attributes & Claims, select Edit.
- Select Add new claim.
- For Name, enter username.
- For Source attribute, select user.userprincipalname.
- Select Save.
User Attributes & Claims allow only one group claim. To add a group claim, delete the existing group claim user.groups [SecurityGroup] already present in the claims to add the new claim or edit the existing one to All groups. - Select Add a group claim.
- Select All groups.
- Under Advanced options, select the Customize the name of the group claim check box.
- For Name, enter group.
- Select Save.
- Note how this section looks when complete.
- Once finished here, we need to download the Base64 certificate to upload to Fortigate as well as jot down the URLs from Microsoft we’ll need for the Fortigate config.
- Fortigate requires filtering on a group, but it will use the Object ID of a group from Entra ID. I have a group named Fortigate SSL VPN already created. The Object ID is: 5f149a8d-62cc-480f-a097-e0614f4b5928 and we’ll use this below
- Let’s add the Group to the Enterprise Application so we’re able to authenticate. In the Entra portal, go to your new Enterprise Application. Under Users and groups, add the new group.
- While we’re at it, we should also configure the Enterprise App to use Conditional Access Go to Protection -> Confitional Access -> Policies. Click to edit the Policy we created in Section 3 in this series. We’ll add our enterprise app to it per the picture.
- Now that we’re done in the Microsoft console, let’s hop over to the Fortigate GUI. First thing we’ll do is upload the certificate from Entra ID. Browse over to System -> Certificates click on “Create/Import” at the top of the screen, choosing “Remote Certificate” when the menu drops down.
- Once uploaded, we can find this cert in the certificate list. Note the name, as we’ll need it to configure the CLI option in Fortigate to configure the SSO IdP as Entra ID. In the example below, mine is named REMOTE_Cert_2.
- Now let’s open a command-line interface to the Fortigate. We’ll be creating a single sign-on instance for Entra ID that will be used to Authenticate and Authorize users for FortiClient VPN.
Here’s what we need to configure specifically. Fill out with your specific information. The Fortinet URLs are based on the prefix hostname:port as configured in the SSL VPN Settings.
- config user saml
- edit azure-sso <- Name we’re giving the Fortigate SSO entity
- set entity-id https://vpn..com:4443/remote/saml/metadata/ <- Fortinet URL
- set single-sign-on-url https://vpn..com:4443/remote/saml/login <- Fortinet URL
- set single-logout-url https://vpn..com:4443/remote/saml/logout <- Fortinet URL
- set idp-entity-id https://sts.windows.net// <- Entra ID URL
- set idp-single-sign-on-url https://login.microsoftonline.com//saml2 <- Entra ID URL
- set idp-single-logout-url https://login.microsoftonline.com//saml2 <- Entra ID URL
- set idp-cert REMOTE_Cert_2 <- Cert name we uploaded previously
- set user-name username <- IDP Attrinute
- set group-name group <- IDP Attribute
- next
- edit azure-sso <- Name we’re giving the Fortigate SSO entity
- end
- config user saml
- Since we’re in the CLI, we will create the Fortinet group to associate to the Object ID we referenced above which will govern which users can connect to Forticlient VPN.
- config user group
- edit EntraVPNAccess <- Your Friendly Group name
- set member azure-sso <- Name you used for the Fortigate SSO entry
- config match
- edit 1
- set server-name azure-sso <- Name you used for the Fortigate SSO entry
- set group-name 5f149a8d-62cc-480f-a097-e0614f4b5928 <- Entra ID Group GUID
- next
- edit 1
- end
- next
- edit EntraVPNAccess <- Your Friendly Group name
- end
- config user group
- Once entered, you will be able to see the new group in the GUI. We’ll use this to configure the SSL VPN settings to use SSO. Navigate to VPN -> SSL VPN Settings. Provide the Group Name for auth mapping per below and apply the config.
- Finally, now we can configure the Forticlient on the Endpoint. We’ll set up a VPN profile per the below and connect. You should now be pushed through the Microsoft SSO portal to authenticate, then receive a Duo Push to confirm the second factor.
Leave a Reply