# FortiGate 100F Cluster – IPsec VPN met Entra ID (SSO via SAML) ## 🧩 Overzicht Gebruikers verbinden via IPsec VPN naar het FortiGate-cluster met hun Entra ID-account. De FortiGate vertrouwt op Entra ID als *SAML Identity Provider (IdP)*. De FortiClient VPN app gebruikt SAML-authenticatie en ontvangt dynamisch de aanmeld-URL. --- ## 1️⃣ Entra ID – App registratie 1. Meld aan bij [https://entra.microsoft.com](https://entra.microsoft.com) 2. Ga naar **Applications > App registrations > New registration** - **Name:** `FortiGate VPN SSO` - **Supported account types:** Single tenant - **Redirect URI (Web):** ``` https://:443/saml/sp/acs ``` 3. Klik **Register** ### 1.1 SAML instellingen 1. Open de nieuwe app → **Single sign-on** → kies **SAML** 2. Bij **Basic SAML Configuration:** - **Identifier (Entity ID):** `https:///saml/sp` - **Reply URL (ACS URL):** `https://:443/saml/sp/acs` - **Sign on URL:** `https://` 3. **User Attributes & Claims:** laat standaard (“user.userprincipalname”) 4. **SAML Signing Certificate:** download **Federation Metadata XML** ### 1.2 Toegang & gebruikers Voeg onder **Enterprise Applications > Users and groups** de groep(en) of gebruiker(s) toe die mogen inloggen. --- ## 2️⃣ FortiGate – SAML IdP configureren Upload het metadata-bestand en maak de IdP-entry aan: ```bash config user saml edit "entra-sso" set cert "Fortinet_Factory" set entity-id "https:///saml/sp" set single-sign-on-url "https://:443/saml/sp/acs" set idp-entity-id "https://sts.windows.net//" set idp-single-sign-on-url "https://login.microsoftonline.com//saml2" set idp-cert "azuread-sso.crt" set user-name "userprincipalname" next end ``` 💡 **azuread-sso.crt** importeer je onder *System → Certificates → Import → Remote CA Certificate* (uit het metadata-XML van Entra ID). Controleer met: ```bash show user saml ``` --- ## 3️⃣ IPsec-tunnel aanmaken (Phase 1 + 2) **GUI → VPN → IPsec Tunnels → Create New → Custom.** ### Phase 1 | Instelling | Waarde | |-------------|---------| | **Name** | vpn-entra | | **Remote Gateway** | Dynamic IP Address | | **Interface** | WAN1 | | **Authentication Method** | SAML User | | **SAML Server** | entra-sso | | **Mode** | Aggressive | | **IKE Version** | v2 | | **Proposal** | AES256/SHA256/DH14 | | **DPD/Keepalive** | standaard | ### Phase 2 | Instelling | Waarde | |-------------|---------| | **Name** | vpn-entra-p2 | | **Phase1 Interface** | vpn-entra | | **Local Address** | 0.0.0.0/0 | | **Remote Address** | 0.0.0.0/0 | | **Proposal** | AES256/SHA256 | --- ## 4️⃣ Firewall user-groep koppelen ```bash config user group edit "vpn-entra-group" set member "entra-sso" next end ``` --- ## 5️⃣ Policy voor VPN-verkeer ```bash config firewall policy edit 0 set name "VPN_to_LAN" set srcintf "vpn-entra" set dstintf "lan" set srcaddr "all" set dstaddr "all" set action accept set schedule always set service ALL set nat enable set groups "vpn-entra-group" next end ``` --- ## 6️⃣ FortiClient VPN instellen FortiClient (VPN-only versie 7.4+) → **Remote Access → IPsec VPN → Add New** | Veld | Waarde | |------|---------| | **Connection Name** | FortiGate SSO VPN | | **VPN Type** | IPsec | | **Remote Gateway** | `https://` | | **Authentication** | SSO with SAML | | **Username/Password** | Leeg laten | | **Group Name (ID)** | vpn-entra (optioneel) | Test → je wordt doorgestuurd naar Microsoft login.microsoftonline.com. --- ## 7️⃣ Test & troubleshoot - Controleer aanmeld-URL: `https://:443/saml/sp/test` - FortiGate CLI-debug: ```bash diagnose debug enable diagnose debug application ike -1 ``` - Controleer dat “SAML assertion” wordt ontvangen na login. --- ## ✅ Resultaat Na succesvolle Entra-ID-authenticatie krijgt de gebruiker een IPsec-tunnel met policy-gebaseerde toegang. Aanpassing van toegangsrechten doe je in Entra ID via groepslidmaatschap. --- © 2025 Screen GP Europe – ICT Dept. Documentversie: 1.0 – Auteur: Marco Voskuil