Skip to main content

HelloID

Fortinet SSL VPN SAML application setup

Follow these instructions to set up the Fortinet SSL VPN SSO application in HelloID.

Tip

For more information about managing applications, see Applications.

Requirements

  • Fortinet SSL VPN environment

Step 1: Add a certificate

  1. Go to Settings > Certificates.

  2. Click Create Self-Signed Certificate.

  3. Set the following fields:

    2023-06-13_12-10-17.jpg

    1. Name Of Certificate: FortinetSelfSigned

    2. Common Name (Domain): <yourcustomerid>.helloid.com

    3. All other fields: set according to your organization's requirements.

  4. Click Save.

Step 2: Add the application

  1. Go to Applications > Applications.

  2. Click Open Application Catalog.

    2022-10-10_12-38-12.jpg

  3. Search for the Fortinet SSL VPN template, and click Add.

    2023-06-12_12-56-22.jpg
Step 3: Application setup

Tip

For details on all available fields, see the Application settings reference.

  1. On the General tab, set the following fields:

    2023-06-12_13-01-52.jpg
    Default Login URL

    <your Fortinet SSL VPN domain>

  2. Click Next.

  3. On the Single Sign On tab, set the following fields:

    2023-06-12_13-02-03.jpg
    Issuer

    <your Fortinet SSL domain>

    Certificate

    Select the self-signed certificate you previously created.

    Endpoint/ACS URL

    <your Fortinet SSL domain>

    Extra Audience

    <your Fortinet SSL domain>

  4. Click Next.

  5. On the Self Service tab, choose whether to generate a product (see Products) for users to request this application. If you do, select the Group that will be linked to the product.

    2023-06-12_13-02-12.jpg

  6. Click Next.

  7. On the Finish tab, click Save.

  8. If necessary, Customize a mapping set for the Fortinet application:

    Fortigate_html_8c5bff9d39750cc0.png
Step 4: Post-setup configuration
HelloID side

  1. For the certificate you created earlier, Export a certificate in base64 format.

  2. Get the application's metadata.

    1. Go to Applications > Applications and click Edit for this application.

    2. Right-click Download Metadata and click Copy Link Address. Save it to a local file on your machine.

      41094_hpr.jpg
      Example 1. SAML Metadata

      https://enyoi.helloid.com/metadata/download?ApplicationGUID=c277185a-cd1f-451c-8068-c751ed85a028

      2023-03-23_11-46-21.jpg


SP side
Upload the Base64 SAML Certificate

  1. Sign in to the management portal of your FortiGate appliance.

  2. In the left pane, select System.

  3. Under System, select Certificates.

  4. Select Import > Remote Certificate.

  5. Browse to the certificate downloaded from the FortiGate app deployment in the Azure tenant, select it, and then select OK.

Configure the Fortigate appliance by command line

Note

Command line configuration is available in GUI from version 7.0 and higher.

  1. Edit the following code by replacing the URLs:

    config user saml

edit HelloID

set cert {certificate}

set entity-id https://{custom}/remote/saml/metadata

set single-sign-on-url https://{custom}/remote/saml/login

set idp-entity-id https://{custom}/remote/saml/metadata

set idp-single-sign-on-url https://{relayserviceurl}

set idp-cert {certificate}

set user-name username

set group-name group

next

end

    • Replace {certificate} with the certificate name imported earlier

    • Replace {custom} in entityid for your own Fortigate url

    • Replace {custom} in single-sign-on url for your own Fortigate url

    • Replace {custom} in idp-entity-id for your own Fortiage url

    • Replace {relayserviceurl} with the http post endpoint shown in the downloaded metadata file from HelloID.

  2. After replacing the URLs, run the script in the Fortigate CLI.

  3. Configure the permission group(s). HelloID will send all the groups a user is member of in the claim set. On the Fortigate side permissions have to be configured on one or more groups. When a user is member of a group he/she will get the appropriate permissions.

  4. Edit the following script to match a groupname that contains all users that should be able to login to Fortinet SSL replace {groupname}.

    config user group

edit FortiGateAccess

set member azure

config match

edit 1

set server-name HelloID

set group-name {groupname}

next

end

next

end

  5. Run the script in the CLI to apply the permission setup.

Step 5: Test the application

  • Using a HelloID account that has access to the application, go to Applications for users on the user dashboard, and launch the application to test it.

Step 6: Finish up

The application has been added to HelloID, and a trust has been configured. You may now want to do the following:

In this section: