Assumptions

• FQDN Record is published for RAVPN

• Public Certificate is being use for the Fortigate

• Users are in Azure AD with a 2 way sync or they are 100% in Azure

• Proper RAVPN groups are created to limit remote access

• Proper Conditional Access Polices are setup to require MFA for the RAVPN

• Fortigate SSL-VPN Portal and Settings are built out

1. Login to Portal.office.com

2. Navigate to the Admin Portal

3. Navigate to Identity > Enterprise Applications

4. Add + a new Applications

   1. Search for Fortigate

      1. Select  Fortigate SSL VPN 

      2. Give the name enterprise application a name (Name isn't applicatble, but would be seen by users if you publish the apps in the portal, not recommended)

5. Assign groups allowed to connect under Users & Groups

6. Setup Signal Sign On for user authentication

1. 
   

2. Enter a Entity ID (include Port number if not 443)

   1. Example : https://*.FORTIGATE-FQDN.com/remote/saml/metadata

   2. Example : https://vpn.aomit.com/remote/saml/metadata

3. Enter a Reply URL (include Port number if not 443)

   1. Example : https://<FORTIGATE-FQDN>/remote/saml/login

   2. Example :  https://vpn.aomit.com/remote/saml/login

   3. Example :  https://vpn.aomit.com:9443/remote/saml/login

4. Enter a Sign on URL (include Port number if not 443)

   1.  https://<FORTIGATE-FQDN>/remote/saml/login

   2.  https://vpn.aomit.com/remote/saml/login

   3.  https://vpn.aomit.com:9443/remote/saml/login

1. Save the configuration and download the Federation MedaData XML and the Base64 certificate

1. Import the Base64 Certificate on to the Fortigate FW

   1. System > Certficates

      1. Import a Remote Certificate > Upload the Base64 certificate

   2. Create the SAML Authentication Server 

Example
Fill in the missing variable

config user saml 

edit <saml-profile-name>

    set cert <FortiGate Public Certificate Name>

    set entity-id < Identifier (Entity ID)Entity ID>

    set single-sign-on-url < Reply URL Reply URL> 

    set single-logout-url <Logout URL>

        set idp-entity-id <Azure AD Identifier> 

        set idp-single-sign-on-url <Azure Login URL> 

        set idp-single-logout-url <Azure Logout URL>

    set idp-cert <Base64 SAML Certificate Name>

    set user-name username set group-name group 

next

end

Example Configuration 

config user saml

  edit AOMIT-AZURE-SAML

    set cert "vpn-aomit" (### NOTE THIS IS THE NAME OF YOUR WEB CERTIFICATE)

    set entity-id https://vpn.aomit.com/remote/saml/metadata

    set single-sign-on-url https://vpn.aomit.com/remote/saml/login

    set single-logout-url https://vpn.aomit.com/remote/saml/logout

    set idp-entity-id https://sts.windows.net/xxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/

    set idp-single-sign-on-url https://login.microsoftonline.com/xxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

    set idp-single-logout-url https://login.microsoftonline.com/xxxxxxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2

    set idp-cert "REMOTE_Cert_2"  (### NOTE THIS IS THE NAME OF THE IMPORT MICROSOFT BASE64 CERTIFICATE)

    set user-name username

    set group-name group

  next

end

1. 3. Greate a Group Profile

      1. User & Groups > User Groups > Create Profile 

      2. Give it a name "AOMIT-AZURE-SAML"

         1. Select a Remote Groups Add+ AOMIT-AZURE-SAML (This will be the name of the SAML Authentication server we setup in the CLI)