Introduction
Fortinet's SSL VPN capability allows remote workers and contractors to securely communicate with corporate resources. This guide shows how to integrate Beyond Identity’s secure phishing-resistant MFA with FortiGate/FortiClient VPN to ensure that:
Only authorized remote workers and contractors are given access to corporate resources from managed or unmanaged devices.
Users are connecting to VPN on devices that adhere to security compliance.
Beyond Identity leverages modern authentication techniques like SAML to connect users leveraging the FortiClient or Web browsers to connect to FortiGate servers.
Contents
Prerequisites
Licensing Requirements
FortiGate build version 7.2.3
FortiClient VPN version 7.0.7
Beyond Identity Secure Workforce
User with a minimum role of ‘Integrations Administrator’ for adding and configuring integrations
Other Requirements
To use Beyond Identity on remote worker's devices, you will need:
Beyond Identity Authenticator and passkeys (credentials) installed on the remote worker's and contractor's devices
Configure SAML integration in the Beyond Identity Admin console
Log in to the Beyond Identity Admin console and select Integrations > SAML tab.
Click Add SAML Connection.
Enter the following information in the dialog.
Option
Description
Name
Enter a name for this connection, such as Fortinet.
SP Single Sign-on URL
Add location where the SAML Response is sent via HTTP-POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL:
https://<Fortigate FQDN:custom port>/remote/saml/log
SP Audience URI
Add the Intended audience of the SAML assertion. This is often referred to as the SP Entity ID:
https://<Fortigate FQDN:custom port>/ remote/saml/metadata
Name ID format
Select emailAddress from the drop-down list.
This is the Name ID format of the assertion's subject statement Processing rules and constraints can be applied based on selection.
Subject User Attribute
Select UserName from the drop-down list.
This is the Beyond Identity attribute that is sent in the assertion's subject statement.
Attribute Statements (optional)
Click + Add twice and set the following:
Name - username
Name format - unspecified
Value - {{UserName}}
Name - group
Name format - unspecified
Value - Enter a custom string that matches the group name created on FortiGate.
Click Save Changes.
Hover over the right side of the integration row you just created and click the Download Certificate icon to download the IDP certificate.
Complete the integration on FortiGate
Upload the IdP certificate
Navigate to System Certificates Create/Import Remote Certificates.
Upload the certificate you previously downloaded from the Beyond Identity Admin console.
Configure the SAML settings
1. Open the CLI console.
2. Modify the information below to update SAML settings based on your configuration.
config user saml
edit BeyondIdentity (Use custom name for connection)
set cert BYNDID (Provide the name of your local certificate for SSL connection)
set entity-id https://fortigate.azure-hybrid.org/remote/saml/metadata (SP Metadata URL from fortigate)
set single-sign-on-url https://fortigate.azure-hybrid.org/remote/saml/login (SP SSO URL from fortigate)
set single-logout-url https://fortigate.azure-hybrid.org/remote/saml/logout (SP logout URL from fortigate)
set idp-entity-id https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso/metadata.xml (IdP issuer URL)
set idp-single-sign-on-url https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso (IdP SSO URL)
set idp-single-logout-url https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso (IdP SSO URL)
set idp-cert REMOTE_Cert_2
set user-name username
set group-name group
next
end
config user group
edit FortiGateAccess
set member BeyondIdentity
config match
edit 1
set server-name BeyondIdentity
next
end
next
endBeyond Identity should now work for users when connecting using FortiClient.
FortiClient user experience
Once configured, the user experience for remote workers and contractors will be similar to the following.