marco/FortiGate-100F-Cluster---IPsec-VPN-met-Entra-ID--SSO-via-SAML-
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c71ee330d767501523a5788e4c12001da07e051
FortiGate-100F-Cluster---IP…/readme.md
marco 9c71ee330d Add readme.md
2025-11-12 15:35:47 +01:00

164 lines
4.3 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# FortiGate 100F Cluster IPsec VPN met Entra ID (SSO via SAML)
## 🧩 Overzicht
Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account.
De FortiGate vertrouwt op Entra ID als *SAML Identity Provider (IdP)*.
De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL.
---
## 1⃣ Entra ID App registratie
1. Meld aan bij [https://entra.microsoft.com](https://entra.microsoft.com)
2. Ga naar **Applications > App registrations > New registration**
- **Name:** `FortiGate VPN SSO`
- **Supported account types:** Single tenant
- **Redirect URI (Web):**
```
https://<fortigate-fqdn>:443/saml/sp/acs
```
3. Klik **Register**
### 1.1 SAML instellingen
1. Open de nieuwe app → **Single sign-on** → kies **SAML**
2. Bij **Basic SAML Configuration:**
- **Identifier (Entity ID):** `https://<fortigate-fqdn>/saml/sp`
- **Reply URL (ACS URL):** `https://<fortigate-fqdn>:443/saml/sp/acs`
- **Sign on URL:** `https://<fortigate-fqdn>`
3. **User Attributes & Claims:** laat standaard (“user.userprincipalname”)
4. **SAML Signing Certificate:** download **Federation Metadata XML**
### 1.2 Toegang & gebruikers
Voeg onder **Enterprise Applications > Users and groups** de groep(en) of gebruiker(s) toe die mogen inloggen.
---
## 2⃣ FortiGate SAML IdP configureren
Upload het metadata-bestand en maak de IdP-entry aan:
```bash
config user saml
edit "entra-sso"
set cert "Fortinet_Factory"
set entity-id "https://<fortigate-fqdn>/saml/sp"
set single-sign-on-url "https://<fortigate-fqdn>:443/saml/sp/acs"
set idp-entity-id "https://sts.windows.net/<tenant-id>/"
set idp-single-sign-on-url "https://login.microsoftonline.com/<tenant-id>/saml2"
set idp-cert "azuread-sso.crt"
set user-name "userprincipalname"
next
end
```
💡 **azuread-sso.crt** importeer je onder *System → Certificates → Import → Remote CA Certificate* (uit het metadata-XML van Entra ID).
Controleer met:
```bash
show user saml
```
---
## 3⃣ IPsec-tunnel aanmaken (Phase 1 + 2)
**GUI → VPN → IPsec Tunnels → Create New → Custom.**
### Phase 1
| Instelling | Waarde |
|-------------|---------|
| **Name** | vpn-entra |
| **Remote Gateway** | Dynamic IP Address |
| **Interface** | WAN1 |
| **Authentication Method** | SAML User |
| **SAML Server** | entra-sso |
| **Mode** | Aggressive |
| **IKE Version** | v2 |
| **Proposal** | AES256/SHA256/DH14 |
| **DPD/Keepalive** | standaard |
### Phase 2
| Instelling | Waarde |
|-------------|---------|
| **Name** | vpn-entra-p2 |
| **Phase1 Interface** | vpn-entra |
| **Local Address** | 0.0.0.0/0 |
| **Remote Address** | 0.0.0.0/0 |
| **Proposal** | AES256/SHA256 |
---
## 4⃣ Firewall user-groep koppelen
```bash
config user group
edit "vpn-entra-group"
set member "entra-sso"
next
end
```
---
## 5⃣ Policy voor VPN-verkeer
```bash
config firewall policy
edit 0
set name "VPN_to_LAN"
set srcintf "vpn-entra"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule always
set service ALL
set nat enable
set groups "vpn-entra-group"
next
end
```
---
## 6⃣ FortiClient VPN instellen
FortiClient (VPN-only versie 7.4+) → **Remote Access → IPsec VPN → Add New**
| Veld | Waarde |
|------|---------|
| **Connection Name** | FortiGate SSO VPN |
| **VPN Type** | IPsec |
| **Remote Gateway** | `https://<fortigate-fqdn>` |
| **Authentication** | SSO with SAML |
| **Username/Password** | Leeg laten |
| **Group Name (ID)** | vpn-entra (optioneel) |
Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com.
---
## 7⃣ Test & troubleshoot
- Controleer aanmeld-URL:
`https://<fortigate-fqdn>:443/saml/sp/test`
- FortiGate CLI-debug:
```bash
diagnose debug enable
diagnose debug application ike -1
```
- Controleer dat “SAML assertion” wordt ontvangen na login.
---
## ✅ Resultaat
Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang.
Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap.
---
© 2025 Screen GP Europe ICT Dept.
Documentversie: 1.0 Auteur: Marco Voskuil
Reference in New Issue View Git Blame Copy Permalink