Fortigate SSL VPN via SAML Single Sign-On(SSO)

This guide explains how to configure FortiGate and Mirket to enable VPN access using the SAML Single Sign-On (SSO) protocol.

Fortigate Configuration

• First, log in to the FortiGate Firewall.

• Then, create a new SSO server from the Single Sign-On section under User & Authentication in FortiGate.

Upload the IdP Certificate

• In the Mirket Portal, go to the SAML setup wizard and download the IdP certificate file (typically in .crt).

• Under Identity Provider Configuration, upload the downloaded certificate in the Certificate field using the dropdown (e.g., select or upload REMOTE_Cert_3).

Enter Identity Provider (IdP) Information in FortiGate

Still under the Identity Provider Configuration section in FortiGate, fill in the following fields using the values provided by the Mirket Portal:

• Entity ID: https://idp.mirketsecurity.com/saml/sso?...

• Assertion Consumer Service URL: Same as above (Mirket generates both ACS and SLS URLs).

• Single Logout Service URL: https://idp.mirketsecurity.com/saml/sso?...

  These URLs can be copied directly from the Mirket Portal during the setup wizard.

Configure Service Provider (SP) Details in Mirket

Go back to the Mirket Portal and proceed to the SP Details step. Copy the following information from the Service Provider Configuration section in FortiGate and paste it into Mirket:

• Address: Example: 98.255.240.22:7000

• Entity ID: http://98.255.240.22:7000/remote/saml/metadata/

• Assertion Consumer Service (ACS) URL: http://98.255.240.22:7000/remote/saml/login

• Single Logout Service (SLS) URL: http://98.255.240.22:7000/remote/saml/logout

📌 These values ensure that the Mirket IdP knows where to send SAML responses and logout requests.

Configure Attribute Mapping

Under Additional SAML Attributes in FortiGate:

• Attribute used to identify users: username

• Attribute used to identify groups: group

Once SAML configuration is complete and attribute mapping is in place, proceed with defining user access through FortiGate user groups.

Create a New User Group in FortiGate

• Navigate to: User & Authentication > User Groups

• Click Create New.

• Set the Name for the group (e.g., MIRKET).

• Under Type, choose: Firewall.

• In the Remote Groups section, click Add.

• Select the Remote Server (e.g., Mirket).

• Under Groups, choose Specify and enter the group name exactly as it is sent in the SAML assertion (e.g., Finance, IT, etc.).

🧩 This group name must match the value of the group attribute configured in the Mirket Portal.

Once the group is defined, grant access by assigning it to the VPN configuration and firewall policy.

Attach the Group to VPN Settings

• Go to: VPN > SSL-VPN Settings

• In the Authentication/Portal Mapping section, add the newly created user group.

• Assign the appropriate VPN portal for the group (e.g., full-access, web-access, etc.).

Create or Update a Firewall Policy

• Navigate to: Policy & Objects > IPv4 Policy

• Create a new policy (or update an existing one) to allow SSL VPN traffic:

  • Source Interface: ssl.root

  • Source: Select the MIRKET group

  • Destination: Internal network or resources

  • Action: Accept

  • Enable NAT if necessary

Mirket Portal Configuration

• Then, go to Configuration > Applications page in the Mirket Portal.

• To create a new application Add Application button on the top right corner. The application creation process consists of seven steps. In the first step, fill in the fields according to the following instructions:

• Application Name: Enter a name for the application.

• Application Logo: Upload your company's logo.

• Protocol: Select your protocol from the dropdown list. For fortigate integration SAML V2 protocol is need be select.

• IDP initiated: When this option is enabled, the system supports IdP-initiated Single Sign-On (SSO).

• After filling in the required fields, click the Next button to proceed to the next step. In the second step, select the users, groups or external sources to which the application will apply. Transfer your selections to the Selected Users/Groups/External Sources table by clicking the arrow icon next to the Available Users/Groups/External Sources table.

• Once the addition process is completed, click the Next button to proceed to the next step. In the third step, copy the URL values from the Mirket Portal and paste them into the corresponding fields in Fortigate IdP Entity ID: Enter the Identifier (Entity ID) value from the Mirket Portal. IdP single sign-on URL: Enter the Single Sign-On URL value from the Mirket Portal. IdP single logout URL: Enter the Single Log-Out URL value from the Mirket Portal. Note: If the URL value from Mirket is entered in the IdP Single Logout URL field, the user will be logged out from both Fortigate and the Mirket Portal when logging out. If not, the logout will apply only to Fortigate. Note: You can also download the Meta Data XML file from the Mirket Portal.

• After entering the values, return to the Mirket Portal, click the Next button to proceed to the next step. In the fourth step, Click the Show Certificate button.

• On the page that opens, click Download Certificate to download the certificate file.

• After uploading the certificate to Fortigate, return to the Mirket Portal, click the Next button to proceed to the next step. In the fifth step, go to the SP Details section on the SAML server configuration page in Fortigate. Copy the URL values from this section and paste them into the corresponding fields in the Mirket Portal, as specified below:

Identifier (Entity ID): Enter the SP entity ID value from the SP Details in the Fortigate. Reply URL (Assertion Consumer Service URL): Enter the SP ACS (login) URL value from the SP Details in the Fortigate. Sign-On URL: Enter the SP portal URL value from the SP Details in the Fortigate. In this case it is the same as Assertion Consumer Service URL Log-Out URL (Optional): Enter the SP SLS (logout) URL value from the SP Details in the Fortigate.

• After entering the values, click the Next button to proceed to the next step. In the sixth step, select the attribute to be mapped and enter its corresponding value. Note: For instance, we are using the "username" and "group" attributes for Fortigate.

• After filling in the required field, click the Next button to proceed to the final step. In the seventh step, select the service provider role, and then choose the groups or external sources you want to assign to this role. Note: The role name defined in the Mirket Portal must exactly match the group name configured in the FortiGate user group section.

• After filling in the required field, click the Save button. Then, the application will be successfully created.

Forticlient configuration

To complete the integration, users need to configure their FortiClient application to connect to FortiGate over SSL VPN using SAML Single Sign-On.

1. Create a New VPN Connection

• Open FortiClient and navigate to the VPN section.

• Click Add a new connection and choose the SSL-VPN tab.

2. Configure Connection Settings

Fill in the connection details as follows:

💡 If you're using a custom port or external domain, make sure DNS resolution and firewall policies allow this traffic.

After saving the configuration:

• Click Connect on the FortiClient VPN interface.

• The client will open your default web browser and redirect you to the Mirket User Portal login page.

• Enter your Mirket credentials and complete any MFA steps if enabled.

• Upon successful authentication, the browser will close automatically, and the VPN tunnel will be established.

✅ Access permissions will be granted based on the user’s assigned role and group as configured in FortiGate.