Facial Biometrics Integration Guide via SAML Protocol

This guide details the process of integrating FaceSign facial biometrics with Fortigate through the SAML protocol. The integration allows authentication to the SSL VPN using facial recognition.

---

Prerequisites

Before starting this tutorial, it is essential that you already have a customer portal configured in FaceSign. If you have not done so yet, please follow the Creation and Portal Setup on FaceSign.

---

Part 1: Enabling the SAML Protocol on the FaceSign Portal

The first step is to obtain the SAML configuration data from your FaceSign portal. To do this, follow the steps below:

1. Access the FaceSign biometric portal with your administrator credentials.

1. In the side menu, navigate to Clients and, in the list, open the edit page for the portal that will be used in the integration.

1. Within the client settings, go to the "Features".

1. Enable the option "Enable SAML protocol?".

1. After enabling the option, a new tab called "SAML" will appear. Access it and separate the information (SAML XML, IDP Metadata, etc.) that will be used in the Fortigate configuration later.

---

Part 2: Configuring SAML on the Fortigate

With the FaceSign data in hand, the next step is to configure the Fortigate to accept SAML authentication.

1. Create a New SAML Service

1. Navigate to User & Authentication > SAML.

2. Click Create New.

1. Fill in the fields according to the table below. The exact values for Entity ID, Single Sign-On URL and Single Logout URL must be obtained from the SAML metadata provided by FaceSign in the previous step.

Field	Description
Service Provider Name	A name to identify the service (e.g., FaceSign-SAML).
SP Entity ID	Identifier of your VPN (hostname, IP, etc.).
SP ACS (Consumer) URL	Fortigate callback URL.
SP SLS (Logout) URL	Fortigate logout URL.
IdP Entity ID	Obtained from FaceSign metadata.
IdP Single Sign-On URL	Obtained from FaceSign metadata.
IdP Single Logout URL	Obtained from FaceSign metadata.
IdP Certificate	Enter the certificate sent by the FaceSign technician.
User Name	user
Group Name	group

---

2. Create a New SAML User Group

1. Go to User & Authentication > User groups.

2. Click Create New.

3. Name the group: VPN-Access-Facesign.

4. In Type, select Firewall.

5. In Members, click Add and select the SAML service created in the previous step (FaceSign-SAML).

6. Save the group.

---

3. Configure the VPN Access Profile

A. Enable and Configure the SSL VPN

1. Go to VPN > SSL-VPN Settings.

1. Set the Listen on Interface(s) (listening interface).

2. Enable Tunnel Mode.

3. In Authentication/Portal Mapping, click Create New and configure:

   • Portal: tunnel-access

   • User Group: Select the group VPN-Access-Facesign created earlier.

   

B. Adjust the Firewall Policy

1. Go to Policy & Objects > IPv4 Policy.

2. Create a new policy with the following settings:

Field	Value
Incoming Interface	SSL-VPN tunnel interface
Outgoing Interface	Your local network interface (e.g., lan).
Source	The VPN address and the user group VPN-Access-Facesign.
Destination	all (or the specific addresses of your internal network).
Service	ALL (or specific services such as PING, SMB).
NAT	Enabled, if necessary.

1. Save the policy.

---

Part 3: Testing the Connection

1. Access the URL of your SSL VPN (e.g., https://<your-public-ip> ).

2. You will be automatically redirected to the FaceSign authentication page.

3. Log in with your registered email.

4. Perform biometric authentication by facial recognition.

5. After approval, you will be redirected back to the Fortigate SSL-VPN portal.

6. Click "Connect" to establish the VPN tunnel connection.

Success! You are connected to the internal network with the security of facial biometrics

---

Support and Contact

For technical support or questions, use the FaceSign Admin Portal or contact our team through the official channels.