eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731
authentik/website/integrations/networking/fortigate-ssl/index.md
Teffen Ellis 6ed5cb5249 website/docs: Modal and wizard button labels (#21549) 
* website/integrations: rename "Create with Provider" to "New Application"

The application list page now uses a split-button labeled
"New Application" instead of the old "Create with Provider" dropdown.
Update all 113 integration guides to match.

* website/docs: update flow, stage, and policy button labels

- "Create" → "New Flow", "New Stage", "New Policy" for trigger buttons
- "Finish" → "Create Flow", "Create Stage", "Create Policy" for submit
- "Create and bind stage" → "New Stage" / "Bind Existing Stage"
- "Create" (binding submit) → "Create Stage Binding"

* website/docs: update provider button labels

- "Create" → "New Provider" for trigger buttons
- "Create with Provider" → "New Application" in RAC docs
- "Create" → "New Property Mapping", "New RAC Endpoint", "New Prompt"
  for related entity creation

* website/docs: update directory button labels

- "Create" → "New Source" for federation/social login pages
- "Create" → "New Role", submit → "Create Role"
- "Create" → "New Invitation"
- Policy binding submit → "Create Policy Binding"

* website/docs: update endpoint device and system management button labels

- "Create" → "New Endpoint Connector", "New Enrollment Token",
  "New Device Access Group", "New Flow"
- Submit → "Create Device Access Group"
- "Create" → "New Notification Rule", "New Notification Transport"
- Binding submit → "Create Policy Binding"

* Reorganize policy documentation

* website/docs: address policy docs review feedback

* post-rebase

* website/docs: Reorganize policy documentation -- Revisions (#21601)

* apply suggestions

* Fix escaped.

* Fix whitespace.

* Update button label.

* Fix phrasing.

* Fix phrasing.

* Clean up stragglers.

* Format.

---------

Co-authored-by: Dominic R <dominic@sdko.org>
2026-04-16 17:35:38 +00:00

148 lines
6.0 KiB
Markdown
Raw Blame History

---
title: Integrate with FortiGate SSLVPN
sidebar_label: FortiGate SSLVPN
support_level: community
---
## What is FortiGate SSLVPN
> FortiGate is a firewall from Fortinet. It is an NGFW with layer 7 inspection and can become part of a Fortinet security fabric.
>
> -- https://www.fortinet.com/products/next-generation-firewall
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of your authentik installation.
- `fortigate.company` is the FQDN of your FortiGate firewall.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Prerequisites
- A working SSLVPN (portal or tunnel) configuration in FortiGate
- A certificate for signing and encryption uploaded to both authentik and FortiGate
- FortiGate version 7.2.8 or later
- authentik version 2024.2.2 or later
## authentik configuration
To support the integration of FortiGate SSLVPN with authentik, you need to create an application/provider pair and user group in authentik.
### Create a user group
1. Log in to authentik as an administrator and navigate to the Admin interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users").
4. Add the users who should have access to the SSLVPN.
5. Click **Save**.
### Create an application and provider in authentik
1. Log in to authentik as an admin and navigate to the Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair.
- **Application**: provide a descriptive name (e.g. "FortiGate SSLVPN"), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps).
- Set the **ACS URL** to `https://fortigate.company/remote/saml/login`.
- Set the **Issuer** to `https://authentik.company/`.
- Set the **Audience** to `http://fortigate.company/remote/saml/metadata/`.
- Set the **SLS URL** to `http://fortigate.company/remote/saml/logout/`.
- Under **Advanced protocol settings**:
- Set **Signing certificate** to use any available certificate.
- Enable both **Sign assertions** and **Sign responses**.
- Set **Assertion valid not before** to `minutes=5`.
- Set **Assertion valid not on or after** to `minutes=5`.
- Set **Digest algorithm** to `sha256`.
- Set **Signature algorithm** to `sha256`.
- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
3. Click **Submit** to save the new application and provider.
## FortiGate configuration
### Setup SAML SP
1. SSH into the FortiGate (if you are using vdom, change to the correct vdom).
2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
```
config user saml
edit "authentik-sso"
set cert "your-fortigate-cert"
set entity-id "http://fortigate.company/remote/saml/metadata/"
set single-sign-on-url "https://fortigate.company/remote/saml/login"
set single-logout-url "https://fortigate.company/remote/saml/logout"
set idp-entity-id "https://authentik.company/"
set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
set idp-cert "your-authentik-cert"
set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
set group-name "http://schemas.xmlsoap.org/claims/Group"
set digest-method sha256
next
end
```
### Add SAML SSO to a user group
Configure the FortiGate user group:
```
config user group
edit "sslvpn-users"
set member "authentik-sso"
config match
edit 1
set server-name "authentik-sso"
set group-name "FortiGate SSLVPN Users"
next
end
next
end
```
:::info
Remember to map the user group to a portal in the 'SSL-VPN Settings' page and add it to firewall rules, or users will be redirected back to authentik with a logout immediately upon each login attempt.
:::
### Download SAML metadata
1. Navigate to your FortiGate web interface at `https://fortigate.company`
2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
3. Click on the "authentik-sso" server you created
4. Click **Download** to get the SAML metadata file
5. Return to authentik and upload this metadata file in the provider configuration
## Configuration verification
To verify the integration:
1. Navigate to your FortiGate SSLVPN portal at `https://fortigate.company`
2. You should be redirected to authentik to authenticate
3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
4. Verify that you can establish a VPN connection
:::info
If you encounter any issues:
- Check that the user group bindings are correctly configured in both authentik and FortiGate
- Verify the SAML metadata and certificates are correctly uploaded
- Enable debug logging in FortiGate:
```
diagnose debug enable
diag debug application samld -1
```
- Check the FortiGate logs for SAML-related errors
:::
## Resources
- [FortiGate SSLVPN Documentation](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/397719/ssl-vpn)
- [FortiGate SAML Configuration Guide](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/954635/saml-sp)
Reference in New Issue View Git Blame Copy Permalink