FortiClient - SAML Auth now supported for dialup IPsec VPN

Looks like FortiNet snuck this in with FortiClient 7.2.4 - not seeing this in the 7.2.4 FortiClient or EMS release notes, but instead under the New Feature documentation for FortiGate.

Cracks Knuckles My time has come.

FOS 7.2.0+ SAML-based authentication for FortiClient remote access dialup IPsec VPN clients | FortiGate / FortiOS 7.2.0 | Fortinet Document Library

FOS 7.4.0+ SAML-based authentication for FortiClient remote access dialup IPsec VPN clients | FortiGate / FortiOS 7.4.0 | Fortinet Document Library

FCT 7.2.4+ (no FCT reference yet)

I noticed the “ike-saml-server” setting not too long ago while looking for something unrelated and couldn’t find any documentation for it. Definitely a positive direction though…

I do have questions about it, however.

  • What is the surface area of authd? It’s got to be less than sslvpnd, but are we trading one pile of kindling for another?
  • Can we listen on a loopback and use that to protect authd like we would sslvpnd? I’d assume so, but need to lab this up…

Amazing, main reason we hadn’t been considering IPsec was lack of saml

I only see it mention FortiAuthenticator. I’m assuming we can use any SAML service like O365?

Is the FortiGate authd daemon written in a memory-safe programming language?

Are we going to see the number of vulnerabilities in authd that we see in sslvpnd?

These are important questions!

I can not tell you how long I’ve been waiting for this feature to be added. This is great news.

Quick revive to this - Anyone got this working?

I am running in to an authentication wall where SAML passses, AUTHD passes but FNBAMD denies me logon with an erorr i can’t figure out - It passes but… Fails?

[1616] fnbam_user_auth_group_match-req id: 1922809136, server: fw01-ipsec-saml, local auth: 0, dn match: 0

[1585] __group_match-Group ‘sg-vpn-daily’ passed group matching

[1588] __group_match-Add matched group ‘sg-vpn-daily’(2)

[1949] handle_req-Passed group matching

[1454] fnbamd_auth_handle_radius_result–>Result for radius svr ‘eap_proxy’ 127.0.0.1(1) is 0

[1479] fnbamd_auth_handle_radius_result-RADIUS auth succeeds with server ‘fw01-ipsec-saml’

[1616] fnbam_user_auth_group_match-req id: 1922809135, server: fw01-ipsec-saml, local auth: 0, dn match: 0

[280] find_matched_usr_grps-Failed group matching

How’d it go? Working good?

Interesting! I’m guessing this would be a good combination to use with always on VPN on FortiClient EMS?

I’m also curious about this.

Based on the fact this is using effectively the same SAML configuration as you’d use for user authentication, etc for SSL VPN, it should work with any IDP. FortiAuthenticator is just shown as an example to sell FortiAuthenticator… :slight_smile:

Shouldn’t matter, SAML is SAML.

Haven’t had the time LOL. Thanks for the reminder.

The first item on Special notices | FortiClient 7.2.4 | Fortinet Document Library suggests that this should be possible, yes.

I’d skip EMS. Buggy as shit and return policy just as bad

Anyone able to get this working? I am trying to spin this up in my lab environment but the latest FortiClient is not showing the SAML login page at all. Just gets stuck on “Connecting” and freezes up.

Hehe no worries. I’m gonna test it soon too. I’m assuming if we have SAML to EntraID it’ll work the same just need to copy the config over for the urls, etc.

Doesn’t SAML for the dial up Forticlient connections require EMS?