Add readme.md

2025-11-12 15:35:47 +01:00
commit 9c71ee330d
1 changed files with 163 additions and 0 deletions
--- a/readme.md
+++ b/readme.md
@@ -0,0 +1,163 @@
+
+# FortiGate 100F Cluster – IPsec VPN met Entra ID (SSO via SAML)
+
+## 🧩 Overzicht
+Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account.  
+De FortiGate vertrouwt op Entra ID als *SAML Identity Provider (IdP)*.  
+De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL.
+
+---
+
+## 1️⃣ Entra ID – App registratie
+
+1. Meld aan bij [https://entra.microsoft.com](https://entra.microsoft.com)
+2. Ga naar **Applications > App registrations > New registration**
+   - **Name:** `FortiGate VPN SSO`
+   - **Supported account types:** Single tenant
+   - **Redirect URI (Web):**
+     ```
+     https://<fortigate-fqdn>:443/saml/sp/acs
+     ```
+3. Klik **Register**
+
+### 1.1 SAML instellingen
+1. Open de nieuwe app → **Single sign-on** → kies **SAML**
+2. Bij **Basic SAML Configuration:**
+   - **Identifier (Entity ID):** `https://<fortigate-fqdn>/saml/sp`
+   - **Reply URL (ACS URL):** `https://<fortigate-fqdn>:443/saml/sp/acs`
+   - **Sign on URL:** `https://<fortigate-fqdn>`
+3. **User Attributes & Claims:** laat standaard (“user.userprincipalname”)
+4. **SAML Signing Certificate:** download **Federation Metadata XML**
+
+### 1.2 Toegang & gebruikers
+Voeg onder **Enterprise Applications > Users and groups** de groep(en) of gebruiker(s) toe die mogen inloggen.
+
+---
+
+## 2️⃣ FortiGate – SAML IdP configureren
+
+Upload het metadata-bestand en maak de IdP-entry aan:
+
+```bash
+config user saml
+    edit "entra-sso"
+        set cert "Fortinet_Factory"
+        set entity-id "https://<fortigate-fqdn>/saml/sp"
+        set single-sign-on-url "https://<fortigate-fqdn>:443/saml/sp/acs"
+        set idp-entity-id "https://sts.windows.net/<tenant-id>/"
+        set idp-single-sign-on-url "https://login.microsoftonline.com/<tenant-id>/saml2"
+        set idp-cert "azuread-sso.crt"
+        set user-name "userprincipalname"
+    next
+end
+```
+
+💡 **azuread-sso.crt** importeer je onder *System → Certificates → Import → Remote CA Certificate* (uit het metadata-XML van Entra ID).
+
+Controleer met:
+```bash
+show user saml
+```
+
+---
+
+## 3️⃣ IPsec-tunnel aanmaken (Phase 1 + 2)
+
+**GUI → VPN → IPsec Tunnels → Create New → Custom.**
+
+### Phase 1
+| Instelling | Waarde |
+|-------------|---------|
+| **Name** | vpn-entra |
+| **Remote Gateway** | Dynamic IP Address |
+| **Interface** | WAN1 |
+| **Authentication Method** | SAML User |
+| **SAML Server** | entra-sso |
+| **Mode** | Aggressive |
+| **IKE Version** | v2 |
+| **Proposal** | AES256/SHA256/DH14 |
+| **DPD/Keepalive** | standaard |
+
+### Phase 2
+| Instelling | Waarde |
+|-------------|---------|
+| **Name** | vpn-entra-p2 |
+| **Phase1 Interface** | vpn-entra |
+| **Local Address** | 0.0.0.0/0 |
+| **Remote Address** | 0.0.0.0/0 |
+| **Proposal** | AES256/SHA256 |
+
+---
+
+## 4️⃣ Firewall user-groep koppelen
+
+```bash
+config user group
+    edit "vpn-entra-group"
+        set member "entra-sso"
+    next
+end
+```
+
+---
+
+## 5️⃣ Policy voor VPN-verkeer
+
+```bash
+config firewall policy
+    edit 0
+        set name "VPN_to_LAN"
+        set srcintf "vpn-entra"
+        set dstintf "lan"
+        set srcaddr "all"
+        set dstaddr "all"
+        set action accept
+        set schedule always
+        set service ALL
+        set nat enable
+        set groups "vpn-entra-group"
+    next
+end
+```
+
+---
+
+## 6️⃣ FortiClient VPN instellen
+
+FortiClient (VPN-only versie 7.4+) → **Remote Access → IPsec VPN → Add New**
+
+| Veld | Waarde |
+|------|---------|
+| **Connection Name** | FortiGate SSO VPN |
+| **VPN Type** | IPsec |
+| **Remote Gateway** | `https://<fortigate-fqdn>` |
+| **Authentication** | SSO with SAML |
+| **Username/Password** | Leeg laten |
+| **Group Name (ID)** | vpn-entra (optioneel) |
+
+Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com.
+
+---
+
+## 7️⃣ Test & troubleshoot
+
+- Controleer aanmeld-URL:  
+  `https://<fortigate-fqdn>:443/saml/sp/test`
+- FortiGate CLI-debug:  
+  ```bash
+  diagnose debug enable
+  diagnose debug application ike -1
+  ```
+- Controleer dat “SAML assertion” wordt ontvangen na login.
+
+---
+
+## ✅ Resultaat
+
+Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang.  
+Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap.
+
+---
+
+© 2025 Screen GP Europe – ICT Dept.  
+Documentversie: 1.0 – Auteur: Marco Voskuil