Fortinet's SSL VPN capability allows remote workers and contractors to securely communicate with corporate resources. This guide shows how to integrate Beyond Identity’s secure phishing-resistant MFA with FortiGate/FortiClient VPN to ensure that:
- Only authorized remote workers and contractors are given access to corporate resources from managed or unmanaged devices.
- Users are connecting to VPN on devices that adhere to security compliance.
Beyond Identity leverages modern authentication techniques like SAML to connect users leveraging the FortiClient or Web browsers to connect to FortiGate servers.
- Configure SAML integration in the Beyond Identity Admin console
- Complete the integration on FortiGate
- FortiClient user experience
- FortiGate build version 7.2.3
- FortiClient VPN version 7.0.7
- Beyond Identity Secure Workforce
- User with a minimum role of ‘Integrations Administrator’ for adding and configuring integrations
To use Beyond Identity on remote worker's devices, you will need:
- Beyond Identity Authenticator and passkeys (credentials) installed on the remote worker's and contractor's devices
Configure SAML integration in the Beyond Identity Admin console
- Click Save Changes.
- Hover over the right side of the integration row you just created and click the Download Certificate icon to download the IDP certificate.
Complete the integration on FortiGate
Upload the IdP certificate
1. Navigate to System Certificates Create/Import Remote Certificates.
2. Upload the certificate you previously downloaded from the Beyond Identity Admin console.
Configure the SAML settings
1. Open the CLI console.
2. Modify the information below to update SAML settings based on your configuration.
config user saml
edit BeyondIdentity (Use custom name for connection)
set cert BYNDID (Provide the name of your local certificate for SSL connection)
set entity-id https://fortigate.azure-hybrid.org/remote/saml/metadata (SP Metadata URL from fortigate)
set single-sign-on-url https://fortigate.azure-hybrid.org/remote/saml/login (SP SSO URL from fortigate)
set single-logout-url https://fortigate.azure-hybrid.org/remote/saml/logout (SP logout URL from fortigate)
set idp-entity-id https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso/metadata.xml (IdP issuer URL)
set idp-single-sign-on-url https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso (IdP SSO URL)
set idp-single-logout-url https://auth.byndid.com/saml/v0/968f64a4-eb52-4f95-b654-adf5ee3fe060/sso (IdP SSO URL)
set idp-cert REMOTE_Cert_2
set user-name username
set group-name group
config user group
set member BeyondIdentity
set server-name BeyondIdentity
Beyond Identity should now work for users when connecting using FortiClient.
FortiClient user experience
Once configured, the user experience for remote workers and contractors will be similar to the following.
Example macOS with a direct connection to Beyond Identity
Example macOS with connection to Microsoft Azure federating to Beyond Identity
Example Windows with direct connection to Beyond Identity