Fortigate IPSEC via SAML Single Sign-On(SSO)

Overview

FortiGate supports SAML-based authentication for FortiClient remote access dialup IPsec VPN connections. This enables centralized authentication and MFA using Mirket as the Identity Provider (IdP).

Key points:

FortiClient version: 7.2.4 or later
IKE version: IKEv2 only
Authentication method: SAML
Multi-Factor Authentication: FortiToken Push is supported as part of the SAML flow
Use case: Client-to-Site (Dialup) IPsec VPN

This document explains how to integrate FortiGate (Service Provider) with Mirket (SAML IdP) for IPsec IKEv2 remote access VPN authentication.

Fortigate Configuration

Step 1 — Configure Global IKE SAML Port

Configure the port FortiGate will use for IKE-SAML authentication:

config system global
    set auth-ike-saml-port <integer>
end

This port is used internally by FortiGate for the SAML authentication exchange during the IKEv2 process.

Step 1 — Configure Authentication Certificate

Specify the certificate FortiGate will use for SAML authentication:

config user setting
    set auth-cert <certificate_name>
end

A trusted CA-signed certificate is recommended.

Step 3 — Create SAML Server (Mirket as IdP)

Create a SAML server on FortiGate using Mirket IdP details.

config user saml
    edit "mirket-ipsec-saml"
        set cert "<certificate_name>"
        set entity-id "<fortigate-sp-entity-id>"
        set single-sign-on-url "https://<fortigate_public_fqdn>:<auth-ike-saml-port>/<saml_path>"
        set single-logout-url "https://<fortigate_public_fqdn>:<auth-ike-saml-port>/<slo_path>"

        set idp-entity-id "<mirket-idp-entity-id>"
        set idp-single-sign-on-url "<mirket-idp-sso-url>"
        set idp-single-logout-url "<mirket-idp-slo-url>"
        set idp-cert "<mirket-idp-certificate>"

        set user-name "username"
        set group-name "group"
    next
end

All IdP-related values are obtained from the Mirket Admin Portal when creating the FortiGate SAML integration.

Settings in step 4 can also be done via the GUI.

Step 4 — Create SAML User Group

Create a user group that references the Mirket SAML server:

config user group
    edit "IPSEC_SAML_USERS"
        set member "mirket-ipsec-saml"
    next
end

This group will later be referenced in the IPsec Phase 1 configuration and firewall policies.

Step 5 — Configure Dialup IPsec Phase 1 (IKEv2 + SAML)

Create a dialup IPsec VPN using SAML authentication:

config vpn ipsec phase1-interface
    edit "IPSEC"
        set type dynamic
        set interface "wan"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set wizard-type dialup-forticlient
        set authusrgrp "IPSEC_SAML_USERS"
        set transport auto
        set ipv4-start-ip 10.20.20.20
        set ipv4-end-ip 10.20.20.40
        set dns-mode auto
        set ipv4-split-include "split"
        set save-password enable
        set psksecret ENC Iid9dpHSTYQKjY3dkVA
    next
end

Ensure the encryption proposal and DH group are compatible with FortiClient.

Step 6 — Configure Phase 2 and IP Pool (Mode-Config)

Define Phase 2 selectors and the IP pool assigned to VPN clients

Step 7 — Bind SAML Server to the WAN Interface

Associate the SAML server with the interface that receives VPN connections:

config system interface
    edit <interface_name>
        set ike-saml-server <saml_server_name>
    next
end

Example:

<interface_name>: wan1
<saml_server_name>: mirket-ipsec-saml

Mirket Portal Configuration

Then, go to Configuration > Applications page in the Mirket Portal.
To create a new application Add Application button on the top right corner. The application creation process consists of seven steps. In the first step, fill in the fields according to the following instructions:

Application Name: Enter a name for the application.
Application Logo: Upload your company's logo.
Protocol: Select your protocol from the dropdown list. For fortigate integration SAML V2 protocol is need be select.
IDP initiated: When this option is enabled, the system supports IdP-initiated Single Sign-On (SSO).

After filling in the required fields, click the Next button to proceed to the next step. In the second step, select the users, groups or external sources to which the application will apply. Transfer your selections to the Selected Users/Groups/External Sources table by clicking the arrow icon next to the Available Users/Groups/External Sources table.

Once the addition process is completed, click the Next button to proceed to the next step. In the third step, copy the URL values from the Mirket Portal and paste them into the corresponding fields in Fortigate IdP Entity ID: Enter the Identifier (Entity ID) value from the Mirket Portal. IdP single sign-on URL: Enter the Single Sign-On URL value from the Mirket Portal. IdP single logout URL: Enter the Single Log-Out URL value from the Mirket Portal. Note: If the URL value from Mirket is entered in the IdP Single Logout URL field, the user will be logged out from both Fortigate and the Mirket Portal when logging out. If not, the logout will apply only to Fortigate. Note: You can also download the Meta Data XML file from the Mirket Portal.

After entering the values, return to the Mirket Portal, click the Next button to proceed to the next step. In the fourth step, Click the Show Certificate button.

On the page that opens, click Download Certificate to download the certificate file.

After uploading the certificate to Fortigate, return to the Mirket Portal, click the Next button to proceed to the next step. In the fifth step, go to the SP Details section on the SAML server configuration page in Fortigate. Copy the URL values from this section and paste them into the corresponding fields in the Mirket Portal, as specified below:

Identifier (Entity ID): Enter the SP entity ID value from the SP Details in the Fortigate. Reply URL (Assertion Consumer Service URL): Enter the SP ACS (login) URL value from the SP Details in the Fortigate. Sign-On URL: Enter the SP portal URL value from the SP Details in the Fortigate. In this case it is the same as Assertion Consumer Service URL Log-Out URL (Optional): Enter the SP SLS (logout) URL value from the SP Details in the Fortigate.

After entering the values, click the Next button to proceed to the next step. In the sixth step, select the attribute to be mapped and enter its corresponding value. Note: For instance, we are using the "username" and "group" attributes for Fortigate.

After filling in the required field, click the Next button to proceed to the final step. In the seventh step, select the service provider role, and then choose the groups or external sources you want to assign to this role. Note: The role name defined in the Mirket Portal must exactly match the group name configured in the FortiGate user group section.
After filling in the required field, click the Save button. Then, the application will be successfully created.

Forticlient configuration

To complete the integration, users need to configure their FortiClient application to connect to FortiGate over IPSEC VPN using SAML Single Sign-On.

1. Create a New VPN Connection

Open FortiClient and navigate to the VPN section.
Click Add a new connection and choose the IPSEC tab.

2. Configure Connection Settings

Fill in the connection details as follows:

💡 If you're using a custom port or external domain, make sure DNS resolution and firewall policies allow this traffic.

After saving the configuration:

Click Connect on the FortiClient VPN interface.
The client will open your default web browser and redirect you to the Mirket User Portal login page.
Enter your Mirket credentials and complete any MFA steps if enabled.
Upon successful authentication, the browser will close automatically, and the VPN tunnel will be established.

✅ Access permissions will be granted based on the user’s assigned role and group as configured in FortiGate.

PreviousFortigate SSL VPN via SAML Single Sign-On(SSO)NextF5 integration

Last updated 2 months ago

hashtagOverview

hashtagFortigate Configuration

hashtagStep 1 — Configure Global IKE SAML Port

hashtagStep 1 — Configure Authentication Certificate

hashtagStep 3 — Create SAML Server (Mirket as IdP)

hashtagStep 4 — Create SAML User Group

hashtagStep 5 — Configure Dialup IPsec Phase 1 (IKEv2 + SAML)

hashtag

hashtagStep 6 — Configure Phase 2 and IP Pool (Mode-Config)

hashtagStep 7 — Bind SAML Server to the WAN Interface

hashtagForticlient configuration

hashtag1. Create a New VPN Connection

hashtag2. Configure Connection Settings