How to Integrating Azure Active Directory (Azure AD) with FortiGate firewall for SSO (Single Sign-On) authentication

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 21, 2024 الساعة 6:25 ص
    Weekend Wiki
    مدير عام
    Integrating Azure Active Directory (Azure AD) with FortiGate firewall for SSO (Single Sign-On) authentication allows users to log in to the FortiGate firewall using their Azure AD credentials. This integration leverages SAML (Security Assertion Markup Language) or LDAP protocols for authentication.

    Here’s how you can set up SSO authentication via Azure AD with a FortiGate firewall using SAML.

    Steps to Integrate Azure AD with FortiGate Firewall for SSO Authentication

    1. Configure Azure AD for SSO

    Before configuring the FortiGate firewall, you’ll need to register your FortiGate device in Azure AD as an Enterprise Application.

    1. Log in to Azure Portal:
    2. Register FortiGate as an Enterprise Application:
      • Navigate to Azure Active Directory > Enterprise Applications.
      • Click + New Application and select Non-gallery application.
      • Name the application, for example: FortiGate_SSO and click Add.
    3. Configure SSO:
      • After creating the application, go to Single Sign-On.
      • Select SAML as the Single Sign-On method.
      • Configure Basic SAML Settings:
        • Identifier (Entity ID): Enter a unique identifier, e.g., https://<FortiGate_IP>/sso.
        • Reply URL (Assertion Consumer Service URL): Enter https://<FortiGate_IP>/remote/login (replace <FortiGate_IP> with your FortiGate device’s IP address).
        • Sign-on URL: This can be left blank or can be configured as https://<FortiGate_IP>/remote/login.
    4. Download the Federation Metadata XML:
      • Under the SAML Signing Certificate, download the Federation Metadata XML. You will use this to configure the FortiGate firewall.

    2. Configure FortiGate for SSO via SAML

    1. Access the FortiGate Web GUI:
      • Log in to your FortiGate firewall using the web interface.
    2. Enable SAML Authentication:
      • Navigate to User & Device > SAML Single Sign-On.
      • Click Create New to add a new SSO configuration.
    3. Configure SAML Settings:
      • Name: Give a name for the SSO profile, e.g., Azure_AD_SSO.
      • Remote ID: Set this to the Identifier (Entity ID) from Azure AD, e.g., https://<FortiGate_IP>/sso.
      • Identity Provider (IdP) Certificate: Upload the Federation Metadata XML file that you downloaded from Azure AD.
    4. Set the Assertion Consumer Service (ACS) URL:
      • Set the ACS URL to https://<FortiGate_IP>/remote/login.
    5. Configure SAML Attributes:
      • For the Name ID Format, select EmailAddress.
      • Map the Azure AD fields to FortiGate fields (typically email address or username).
    6. Save the Configuration:
      • Click OK to save the SAML SSO configuration.

    3. Create User Groups in FortiGate:

    Once the SSO configuration is set, you can create user groups based on the Azure AD user attributes.

    1. Go to User & Device > User Groups.
    2. Click Create New.
    3. Set the following:
      • Name: Name the user group (e.g., Azure_AD_Users).
      • Type: Select SAML as the authentication type.
      • SAML Server: Select the SAML profile you created earlier (e.g., Azure_AD_SSO).
    4. Click OK to save the user group.

    4. Create Firewall Policies for SSO Authentication

    1. Go to Policy & Objects > IPv4 Policy.
    2. Create a new policy where you can apply SSO authentication.
    3. Set the following:
      • Incoming Interface: Choose the appropriate interface.
      • Outgoing Interface: Choose the destination interface.
      • Source: Choose the user group created earlier (Azure_AD_Users).
      • Destination: Set the destination as needed.
      • Action: Set to Accept.
      • Authentication: Enable User Authentication and select SAML for authentication.
    4. Click OK to apply the policy.

    5. Test the SSO Login:

    • After completing the configuration, test the SSO authentication by accessing the FortiGate login page. You should be redirected to Azure AD for authentication.
    • Once authenticated, users will be logged into the FortiGate firewall based on their Azure AD credentials.

    6. Optional: Configure User Group Access Control (Optional)

    If you want to grant or restrict access to specific resources based on Azure AD groups, you can configure additional group-based access control.

    1. Go to User & Device > User Groups and create groups corresponding to Azure AD groups.
    2. Use FortiGate firewall policies to allow or deny access based on the user group.

    Summary of Steps:

    1. Configure Azure AD: Register FortiGate as an Enterprise Application in Azure AD, enable SAML, and download the Federation Metadata XML.
    2. Configure FortiGate: Set up the SAML SSO settings on FortiGate using the metadata from Azure AD.
    3. Create User Groups: Set up user groups based on Azure AD.
    4. Create Firewall Policies: Apply the user groups to firewall policies to control access.
    5. Test Login: Ensure users can log in via Azure AD credentials.

    By completing these steps, you will have integrated Azure AD with FortiGate for SSO authentication, enabling users to access the FortiGate firewall using their Azure Active Directory credentials.

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic