search
DocHub

Facial Biometrics Integration Guide via SAML-IPsec Protocol

Guide to configuring an IPsec VPN in a FortiGate environment, using SSO with SAML authentication integrated with the FaceSign platform for secure biometric access.

hashtag
Prerequisites

Before starting the setup process, ensure the following item is available:

  1. Digital Certificate: The digital certificate provided by Facesign is essential to establish trust between the FortiGate (Service Provider) and the Facesign platform (Identity Provider). Import this certificate into your FortiGate appliance before proceeding.

hashtag
1. Single Sign-On (SSO) Configuration with Facesign

The first step is to register Facesign as a SAML identity provider on the FortiGate.

  1. Access the FortiGate administration interface and navigate to User & Authentication > Single Sign-On.

  1. Create a new SSO entry with the following specifications:

  • Name: Facesign SAML (or a descriptive name of your choice).

  • Service Provider Configuration:

    • Address: Enter the external access address of your VPN, in the format vpn.yourdomain.com.br:xxxx. You may use the IP address and the corresponding port.

  • Identity Provider Details:

    • Use the URLs (Entity ID, Single Sign-on service URL, Single logout service URL) provided by the Facesign portal.

    • Import the Facesign digital certificate previously uploaded to the FortiGate.

  1. After creation, edit the SSO configuration and, in the AD FS claimsection, enable the corresponding option to ensure correct interpretation of authentication attributes.

hashtag
2. VPN User Group Configuration

Create a user group that will be associated with SAML authentication.

  1. Navigate to User & Authentication > User Groups.

  2. Create a new user group with the following characteristics:

  • Name: GRP_VPN_SAML_FACESIGN (or a descriptive name).

  • Type: Firewall.

  • Remote Groups: Add the SSO server created in the previous step (Facesign SAML) as a member of this group.

hashtag
3. IPsec VPN Tunnel Configuration

This section details the creation and configuration of the IPsec tunnel.

  1. Go to VPN > IPsec Tunnels and start the creation wizard (VPN Creation Wizard).

  2. Select the template Custom and set a name for the tunnel, such as SAML_VPN.

  1. Network Settings (Network):

  • IP Version: IPv4.

  • Remote Gateway: Dialup User.

  • Interface: Select the corresponding WAN interface.

  • Client Address Range: Define the range of IP addresses that will be assigned to VPN clients.

  • DNS Server: Specify the DNS servers that will be used by connected clients.

  • Accessible Networks: Define the internal networks that can be accessed through the VPN.

  1. Authentication Settings (Authentication):

  • Method: Pre-shared Key.

  • Version: IKEv2.

  • Peer Types: Any peer ID.

  1. Phase 1 Settings (Phase 1 Proposal):

  • Encryption/Authentication: Select the desired algorithms (e.g., AES256/SHA256).

  • Diffie-Hellman Group: Select the appropriate groups (e.g., 14, 5).

  • Key Lifetime: 86400 seconds.

  1. Phase 2 Settings (Phase 2 Selectors):

  • Encryption/Authentication: Select the desired algorithms (e.g., AES128/SHA256).

  • Enable Perfect Forward Secrecy (PFS): Enabled.

  • Diffie-Hellman Group: Select the appropriate group (e.g., 5).

  • Key Lifetime: 43200 seconds.

  • Autokey Keep Alive: Enabled.

hashtag
3.1. Adjustments via Command Line (CLI)

To enable EAP (Extensible Authentication Protocol) authentication, required for SAML integration, run the following commands in the FortiGate CLI:

Then configure the listening port for SAML authentication in global mode:

Finally, associate the SAML server with the corresponding network interface:

hashtag
4. Access Policy (Firewall Policy) Configuration

Create a firewall policy to allow VPN traffic to the internal network.

  1. Navigate to Policy & Objects > Firewall Policy.

  2. Create a new policy with the following parameters:

  • Name: VPN_SAML_LAN (or a descriptive name).

  • Incoming Interface: The IPsec tunnel interface (SAML_VPN).

  • Outgoing Interface: Your local network (LAN) interface.

  • Source: The user group (GRP_VPN_SAML_FACESIGN) and the VPN IP range.

  • Destination: The local network that will be accessed.

  • Service: ALL (or specific services).

  • Action: ACCEPT.

  • Inspection Mode: Flow-based.

hashtag
5. VPN Client Configuration (FortiClient)

On the endpoint client, configure the IPsec VPN connection in FortiClient.

  1. Create a new VPN connection with the following settings:

  • VPN Type: IPsec VPN.

  • Connection Name: IPSEC FACESIGN (or a descriptive name).

  • Remote Gateway: The external address of your VPN (vpn.facesign.in).

  • Authentication Method: Pre-shared Key.

  • Single Sign-On (SSO) for VPN Tunnel: Enable.

  1. Configure the Phase 1 and Phase 2 proposals so they match the settings defined on the firewall (IKE Proposal, DH Group, Key Lifetime, etc.).

hashtag
6. Connection and Authentication Process

  1. In FortiClient, the user selects the connection VPN_SAML_IPSEC and clicks Connect.

  1. A Facesign SAML authentication window will be displayed, requesting biometric authentication.

  1. After successful biometric verification, the VPN connection is established, and the user will have access to the internal network resources defined in the firewall policy.

hashtag
Support and Contact

For technical support or questions, use the FaceSign Admin Portal or contact our team through the official channels.

PreviousFacial Biometrics Integration Guide via SAML-SSL ProtocolNextCRM

Last updated