FortiGate 100F Cluster – IPsec VPN met Entra ID (SSO via SAML)
🧩 Overzicht
Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account.
De FortiGate vertrouwt op Entra ID als SAML Identity Provider (IdP).
De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL.
1️⃣ Entra ID – App registratie
- Meld aan bij https://entra.microsoft.com
- Ga naar Applications > App registrations > New registration
- Name:
FortiGate VPN SSO - Supported account types: Single tenant
- Redirect URI (Web):
https://<fortigate-fqdn>:443/saml/sp/acs
- Name:
- Klik Register
1.1 SAML instellingen
- Open de nieuwe app → Single sign-on → kies SAML
- Bij Basic SAML Configuration:
- Identifier (Entity ID):
https://<fortigate-fqdn>/saml/sp - Reply URL (ACS URL):
https://<fortigate-fqdn>:443/saml/sp/acs - Sign on URL:
https://<fortigate-fqdn>
- Identifier (Entity ID):
- User Attributes & Claims: laat standaard (“user.userprincipalname”)
- SAML Signing Certificate: download Federation Metadata XML
1.2 Toegang & gebruikers
Voeg onder Enterprise Applications > Users and groups de groep(en) of gebruiker(s) toe die mogen inloggen.
2️⃣ FortiGate – SAML IdP configureren
Upload het metadata-bestand en maak de IdP-entry aan:
config user saml
edit "entra-sso"
set cert "Fortinet_Factory"
set entity-id "https://<fortigate-fqdn>/saml/sp"
set single-sign-on-url "https://<fortigate-fqdn>:443/saml/sp/acs"
set idp-entity-id "https://sts.windows.net/<tenant-id>/"
set idp-single-sign-on-url "https://login.microsoftonline.com/<tenant-id>/saml2"
set idp-cert "azuread-sso.crt"
set user-name "userprincipalname"
next
end
💡 azuread-sso.crt importeer je onder System → Certificates → Import → Remote CA Certificate (uit het metadata-XML van Entra ID).
Controleer met:
show user saml
3️⃣ IPsec-tunnel aanmaken (Phase 1 + 2)
GUI → VPN → IPsec Tunnels → Create New → Custom.
Phase 1
| Instelling | Waarde |
|---|---|
| Name | vpn-entra |
| Remote Gateway | Dynamic IP Address |
| Interface | WAN1 |
| Authentication Method | SAML User |
| SAML Server | entra-sso |
| Mode | Aggressive |
| IKE Version | v2 |
| Proposal | AES256/SHA256/DH14 |
| DPD/Keepalive | standaard |
Phase 2
| Instelling | Waarde |
|---|---|
| Name | vpn-entra-p2 |
| Phase1 Interface | vpn-entra |
| Local Address | 0.0.0.0/0 |
| Remote Address | 0.0.0.0/0 |
| Proposal | AES256/SHA256 |
4️⃣ Firewall user-groep koppelen
config user group
edit "vpn-entra-group"
set member "entra-sso"
next
end
5️⃣ Policy voor VPN-verkeer
config firewall policy
edit 0
set name "VPN_to_LAN"
set srcintf "vpn-entra"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule always
set service ALL
set nat enable
set groups "vpn-entra-group"
next
end
6️⃣ FortiClient VPN instellen
FortiClient (VPN-only versie 7.4+) → Remote Access → IPsec VPN → Add New
| Veld | Waarde |
|---|---|
| Connection Name | FortiGate SSO VPN |
| VPN Type | IPsec |
| Remote Gateway | https://<fortigate-fqdn> |
| Authentication | SSO with SAML |
| Username/Password | Leeg laten |
| Group Name (ID) | vpn-entra (optioneel) |
Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com.
7️⃣ Test & troubleshoot
- Controleer aanmeld-URL:
https://<fortigate-fqdn>:443/saml/sp/test - FortiGate CLI-debug:
diagnose debug enable diagnose debug application ike -1 - Controleer dat “SAML assertion” wordt ontvangen na login.
✅ Resultaat
Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang.
Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap.
© 2025 Screen GP Europe – ICT Dept.
Documentversie: 1.0 – Auteur: Marco Voskuil