meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
spickzettel:netzwerk:fortigate_vpn_saml_keycloak [2021/11/05 21:28:26] – Marcel Jäpel | spickzettel:netzwerk:fortigate_vpn_saml_keycloak [2021/11/05 22:27:18] (current) – Marcel Jäpel | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Fortigate VPN mit 2FA SAML Authentifizerung gegen Keycloak ====== | ||
+ | |||
+ | ===== Allgemein ===== | ||
+ | ==== Begrifflichkeiten ==== | ||
+ | * Service Provider -> SP -> Fortigate | ||
+ | * Identity Provider -> IdP -> Keycloak | ||
+ | |||
+ | ==== Auth-Mechanismen ==== | ||
+ | * Die gezeigte Fortigate Konfiguration erlaubt mehrere Auth-Backends (Fortigate lokale Benutzer, LDAP, SSO/SAML) parallel für das gleiche VPN. Durch Unterscheidung der Gruppen aus den jeweiligen Backends könnte der gleiche Benutzer über 2FA-SAML andere VPN Rechte erhalten, als über einen LDAP Login. | ||
+ | |||
+ | ==== Fallback-User ==== | ||
+ | * Durch die Kombinationsmöglichkeiten der unterschiedlichen Auth-Mechanismen gibts keine Einschränkungen bei der Kreativität von Fallback-Usern. Die könnten aus dem LDAP kommen oder gar lokal auf der Fortigate konfiguriert sein. | ||
+ | |||
+ | ==== Fortigate Debug Optionen ==== | ||
+ | < | ||
+ | diagnose debug reset | ||
+ | diagnose debug console timestamp enable | ||
+ | diagnose debug application fnbamd -1 | ||
+ | diagnose debug application sslvpn -1 | ||
+ | diagnose debug application samld -1 | ||
+ | diagnose debug application httpsd -1 | ||
+ | diagnose debug enable | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ===== Keycloak ===== | ||
+ | * Key und Zertifikat müssen im Client neugeneriert werden. Die Felder wurden im nachstehenden Json geleert. | ||
+ | * Die erzeugte Key/Cert Kombination muss auch auf der Fortigate importiert werden. | ||
+ | |||
+ | <file json client_export.json> | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | ], | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | }, | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | ], | ||
+ | " | ||
+ | " | ||
+ | ], | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ===== Fortigate ===== | ||
+ | * Zertifikate | ||
+ | * IDM-FortiVPN-SSL -> Cert+Key aus dem Keycloak Client | ||
+ | * REMOTE_Cert_1 -> Signatur-Zertifikat der Keycloak Realm | ||
+ | |||
+ | <code bash> | ||
+ | config user saml | ||
+ | edit " | ||
+ | set cert " | ||
+ | set entity-id " | ||
+ | set single-sign-on-url " | ||
+ | set single-logout-url " | ||
+ | set idp-entity-id " | ||
+ | set idp-single-sign-on-url " | ||
+ | set idp-single-logout-url " | ||
+ | set idp-cert " | ||
+ | set user-name " | ||
+ | set group-name " | ||
+ | next | ||
+ | end | ||
+ | |||
+ | config user group | ||
+ | edit " | ||
+ | set member " | ||
+ | config match | ||
+ | edit 1 | ||
+ | set server-name " | ||
+ | set group-name " | ||
+ | next | ||
+ | end | ||
+ | next | ||
+ | |||
+ | edit " | ||
+ | set member " | ||
+ | config match | ||
+ | edit 1 | ||
+ | set server-name " | ||
+ | set group-name " | ||
+ | next | ||
+ | end | ||
+ | next | ||
+ | |||
+ | edit " | ||
+ | set member " | ||
+ | next | ||
+ | end | ||
+ | |||
+ | |||
+ | config vpn ssl settings | ||
+ | set servercert " | ||
+ | set tunnel-ip-pools " | ||
+ | set port 8443 | ||
+ | set source-interface " | ||
+ | set source-address " | ||
+ | set source-address6 " | ||
+ | set default-portal " | ||
+ | config authentication-rule | ||
+ | edit 1 | ||
+ | set groups " | ||
+ | set portal " | ||
+ | next | ||
+ | edit 2 | ||
+ | set groups " | ||
+ | set portal " | ||
+ | next | ||
+ | end | ||
+ | end | ||
+ | </ | ||
+ | |||
+ | ===== FortiClient ===== | ||
+ | |||
+ | * SSO Login Feature in den Verbindungs-Optionen aktivieren | ||
+ | * Feature ab Version 6.4.0 enthalten. Getestet wurde bisher nur mit Version 7.0.1 unter Windows. | ||
+ | * MacOS & Linux FortiClient hat die SSO Login Option in der GUI. Test steht noch aus. | ||
+ | |||