habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations-all: convert authentik configuration to wizard (#13144)

Browse Source 
* init

* 6 more

* tana...

* quick reformat

* welp only time for one change

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* Revert "wip"

This reverts commit e71f0d22e3f093350e8d12eaad5e5c0f9d38253c.

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* wip

* a
This commit is contained in:
Dominic R
2025-03-26 17:38:57 -04:00
committed by GitHub
parent 27aed4b315
commit 13fc216c68
93 changed files with 2248 additions and 2070 deletions
Download Patch File Download Diff File Expand all files Collapse all files

278
website/integrations/services/fortigate-ssl/index.md
View File

@ -4,64 +4,81 @@ sidebar_label: FortiGate SSLVPN
support_level: community
---
## FortiGate SSLVPN
## What is FortiGate SSLVPN
> FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
>
> -- https://www.fortinet.com/products/next-generation-firewall
>
> This guide explains how to setup a FortiGate to use authentik with a SAML provider for SSLVPN authentication. It does not cover how to setup SAML for admin logins, that is a different configuration. If you need to setup SAML for admin logins see the FortiGate admin guide.
>
> This guide has been created using the following software versions. Instructions may differ between versions.
>
> - Fortigate: 7.2.8
> - authentik: 2024.2.2
## Assumptions
- You know how to configure an SSLVPN in a FortiGate.
- You already have a certificate for signing and encryption uploaded to both authentik and the FortiGate.
- You already have a working SSLVPN (either portal or tunnel) and is just changing authentication from what you are using today to authentik SAML.
## Preparation
The following placeholders are used in this guide:
- `saml.sp.name` = The name that will be the SAML SP configuration in the FortiGate
- `fgt.cert` = Fortigate certificate for signing and encrypting
- `service.company` = This is the FQDN of the firewall, if your sslvpn portal is not on TCP port 443, then add the port like: fortigate.mydomain.tld:10233
- `authentik.company` = This is the FQDN of your authentik installation
- `app.slug.name` = The application slug that you decided upon
- `ak.cert` = The authentik remote certificate you have uploaded before starting the guide.
- `fgt.user.group` = This will be the name of the user group in your Fortigate that you will use in your SSLVPN portal mapping and Firewall rules
- `ak.user.group` = This is the user group name that you will use in authentik if you plan on limiting access to the sslvpn via groups.
- `authentik.company` is the FQDN of your authentik installation
- `fortigate.company` is the FQDN of your FortiGate firewall
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Prerequisites
- A working SSLVPN (portal or tunnel) configuration in FortiGate
- A certificate for signing and encryption uploaded to both authentik and FortiGate
- FortiGate version 7.2.8 or later
- authentik version 2024.2.2 or later
## authentik configuration
To support the integration of FortiGate SSLVPN with authentik, you need to create an application/provider pair and user group in authentik.
### Create a user group
1. Log in to authentik as an admin and navigate to the admin Interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users").
4. Add the users who should have access to the SSLVPN.
5. Click **Save**.
### Create an application and provider in authentik
1. Log in to authentik as an admin and navigate to the admin Interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair.
- **Application**: provide a descriptive name (e.g. "FortiGate SSLVPN"), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps)
- Set the **ACS URL** to <kbd>https://<em>fortigate.company</em>/remote/saml/login</kbd>
- Set the **Audience** to <kbd>http://<em>fortigate.company</em>/remote/saml/metadata/</kbd>
- Select your signing certificate
- Under **Advanced Protocol Settings**:
- Set **Assertion valid not before** to <kbd>minutes=5</kbd>
- Set **Assertion valid not on or after** to <kbd>minutes=5</kbd>
- Set **Digest algorithm** to <kbd>sha256</kbd>
- Set **Signature algorithm** to <kbd>sha256</kbd>
- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
3. Click **Submit** to save the new application and provider.
## FortiGate configuration
### Preparation
- Decide on an application name (slug) e.g. fgtsslvpn that you will use in authentik later.
### Setup SAML SP
1. SSH to the Fortigate (If you are using vdom change to the correct vdom).
2. Copy the config below to your preferred editor and change the placeholders to your settings, then paste it into the Fortigate.
> [!NOTE]
> Some are https and some are http, that is on purpose, and as described by FortiNet.
1. SSH to the FortiGate (If you are using vdom change to the correct vdom).
2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
```
config user saml
edit "saml.sp.name"
set cert "fgt.cert"
set entity-id "http://service.company/remote/saml/metadata/"
set single-sign-on-url "https://service.company/remote/saml/login"
set single-logout-url "https://service.company/remote/saml/logout"
edit "authentik-sso"
set cert "your-fortigate-cert"
set entity-id "http://fortigate.company/remote/saml/metadata/"
set single-sign-on-url "https://fortigate.company/remote/saml/login"
set single-logout-url "https://fortigate.company/remote/saml/logout"
set idp-entity-id "https://authentik.company"
set idp-single-sign-on-url "https://authentik.company/application/saml/app.slug.name/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/app.slug.name/slo/binding/redirect/"
set idp-cert "ak.cert"
set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
set idp-cert "your-authentik-cert"
set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
set group-name "http://schemas.xmlsoap.org/claims/Group"
set digest-method sha256
@ -69,174 +86,59 @@ config user saml
end
```
### Add the SAML single sign-on to a user group
### Add SAML SSO to a user group
This will limit who can login via authentik SAML. It will match on `ak.user.group` which is the group you will set up in authentik later, and only allow users of that group to login. In essence it provides the same functionality as returning a user-group via Radius, and matching on the user group.
Configure the FortiGate user group:
```
config user group
edit "fgt.user.group"
set member "saml.sp.name"
edit "sslvpn-users"
set member "authentik-sso"
config match
edit 1
set server-name "saml.sp.name"
set group-name "ak.user.group"
set server-name "authentik-sso"
set group-name "FortiGate SSLVPN Users"
next
end
next
end
```
> [!IMPORTANT]
> If you created a new firewall group, instead of using an existing sslvpn firewall group, then remember to map it to a portal in the 'SSL-VPN Settings' page, and add the `fgt.user.group` to firewall rules, or you will be redirected back to authentik with a logout immediately upon each login attempt.
:::info
Remember to map the user group to a portal in the 'SSL-VPN Settings' page and add it to firewall rules, or users will be redirected back to authentik with a logout immediately upon each login attempt.
:::
Next get the metadata from the FortiGate to help us with the SAML configuration in authentik. Copy all the output from the command below and save it in a xml file named `fgt-metadata.xml`. You will upload that to authentik later, to facilitate auto-configuration.
### Download SAML metadata
```
diag vpn ssl saml-metadata saml.sp.name
```
1. Navigate to your FortiGate web interface at <kbd>https://<em>fortigate.company</em></kbd>
2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
3. Click on the "authentik-sso" server you created
4. Click **Download** to get the SAML metadata file
5. Return to authentik and upload this metadata file in the provider configuration
## authentik setup
## Configuration verification
It's time to log in to authentik and set up the provider and application.
To verify the integration:
## Provider section
1. Navigate to your FortiGate SSLVPN portal at <kbd>https://<em>fortigate.company</em></kbd>
2. You should be redirected to authentik to authenticate
3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
4. Verify that you can establish a VPN connection
Let's set up the provider using the SAML metadata from the FortiGate.
:::info
If you encounter any issues:
### Setup the provider using metadata
- Check that the user group bindings are correctly configured in both authentik and FortiGate
- Verify the SAML metadata and certificates are correctly uploaded
- Enable debug logging in FortiGate:
```
diagnose debug enable
diag debug application samld -1
```
- Check the FortiGate logs for SAML-related errors
:::
- Go to **Applications -> Providers**.
- Click **Create**.
- Select **SAML Provider from Metadata** at the bottom.
- Name: Name it something appropriate e.g. FGT SSL SAML Provider
- Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
- Metadata: upload the fgt-metadata.xml you created previously
- Click **Finish**.
## Additional Resources
### Validate and change settings for provider
- Click the Edit icon to the right of the provider you just created, under the **Actions** column..
- Authentication flow = default-authentication-flow (Welcome to authentik!)
- ACS URL = https://service.company/remote/saml/login
- Issuer = https://authentik.company
- Service Provider Binding = POST
- Audience = http://service.company/remote/saml/metadata/
- Signing certificate = ak.cert
- Verification Certificate = Should already be filled with the certificate from the metadata you uploaded.
- Property mapping:
- authentik default SAML Mapping: Username
- authentik default SAML Mapping: Groups
- Named Property Mapping: Empty (------)
- Assertion valid not before = minutes=5
- Assertion valid not on or after = minutes=5
- Session valid not on or after = (Set how long you want the user's session to be valid)
- Default relay state = empty
- Digest algorithm = sha256
- Signature algorithm = sha256
## Application section
Lets create the application and link it to the provider.
### Create user group
This is the user group that you matched on in the FortiGate "firewall group" above.
- Go to **Directory -> Groups**.
- Click **Create**.
- Name = `ak.user.group`.
- Open ak.user.group and add the users whom should have access to the sslvpn.
- Save the group.
### Create the application
> [!NOTE]
> The Launch URL = blank://blank will prevent authentik from displaying it on the user's login page in authentik.
- Go to **Applications -> Applications**.
- Name = Whatever you fancy e.g. FGT-SSLVPN
- Slug = app.slug.name
- Group = empty (------)
- Provider = The provider you created before e.g. "FGT SSL SAML Provider"
- Backchannel Provider = empty (-----)
- Policy engine mode = any
- Launch URL = blank://blank
- Open in new tab = disabled
- icon = None
- Publisher = None
- Description = None
- Click **Save**.
### Limiting the access based on authentik group
- Open the application again
- Click on "Policy / Group / User Binding"
- Click **Bind existing policy**.
- Click on **Group** in the tabs at the top.
- In the **Group** drop-down menu, select `ak.user.group`.
- Make sure that **Enabled** is chosen.
- Order = 10
- Timeout = 30
- Failure result = Don't pass
- Click **Create**.
You should now be able to log in by selecting SSO login either on the portal or in FortiClient, depending on your portal configuration.
> [!NOTE]
> If you are using FortiClient remember to set the sslvpn profile to use single sign-on either creating a manual profile or editing the profile in your EMS.
## Troubleshooting
These are just suggestions of what **could** be the cause of an issue and how to enable debug on the FortiGate.
> [!CAUTION]
> Debugging can generate heavy load on a FortiGate firewall, so make sure your firewall is not already struggling with performance before you enable debugging, and remember to disabled it again when you are done.
>
> You can disable the debug with these commands.
> `diag debug disable` > `diag debug reset`
### Enabling debug output
Before you can see any output you need to enable the debug mode.
`diagnose debug enable`
### Debug saml daemon
This will provide all possible output from the SAML daemon.
`diag debug application samld -1`
### Debug sslvpn (optional)
This will provide insight into what happens when you use FortiClient, usually combined with `salmd debug`.
`diag debug application sslvpn -1`
### Debug https daemon (optional)
This can be used to see what calls are made when using the SSLVPN portal. Note this will also catch any admins working on the firewall and can get a bit messy.\
`diag debug application httpsd -1`
### Enable debug timestamps (optional)
Provides timestamp on the debug output lines\
`diagnose debug console timestamp enable`
### Error: Assertion failed with url
This could be caused by a time difference between SP and IDP
### Error: Assertion failed with 'coin'
You have not set the audience in the SAML provider settings
### Error: Redirection loop
This could be caused by the `fgt.user.group` not being added to any firewall rules.
### Error: Redirected to logout page on authentik when logging in
User group `fgt.user.group` is not mapped to any portals ( Fortigate settings page 'SSL-VPN Settings'), and your default catch all does not allow access to either portal or tunnel.
### Error: authentik page shows "missing post data"
An error message about missing data is displayed by authentik. This error means you have used the wrong `idp-single-sign-on-url` and most likely the wrong `idp-single-logout-url` in the FortiGate SAML SP configuration. These should be the redirect URLs from authentik's provider configuration and not the post URLs.
- [FortiGate SSLVPN Documentation](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/397719/ssl-vpn)
- [FortiGate SAML Configuration Guide](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/954635/saml-sp)