# Facial Biometrics Integration Guide via SAML-IPsec Protocol #### Prerequisites Before starting the setup process, ensure the following item is available: 1. **Digital Certificate:** The digital certificate provided by Facesign is essential to establish trust between the FortiGate (Service Provider) and the Facesign platform (Identity Provider). Import this certificate into your FortiGate appliance before proceeding.

*** ### 1. Single Sign-On (SSO) Configuration with Facesign The first step is to register Facesign as a SAML identity provider on the FortiGate. 1. Access the FortiGate administration interface and navigate to **User & Authentication > Single Sign-On.**

1. Create a new SSO entry with the following specifications: * **Name**: `Facesign SAML` (or a descriptive name of your choice). * **Service Provider Configuration:** * **Address:** Enter the external access address of your VPN, in the format `vpn.yourdomain.com.br:xxxx`. You may use the IP address and the corresponding port. * **Identity Provider Details:** * Use the URLs (Entity ID, Single Sign-on service URL, Single logout service URL) provided by the Facesign portal. * Import the Facesign digital certificate previously uploaded to the FortiGate.

3. After creation, edit the SSO configuration and, in the **AD FS claim**section, enable the corresponding option to ensure correct interpretation of authentication attributes.

*** ### 2. VPN User Group Configuration Create a user group that will be associated with SAML authentication. 1. Navigate to **User & Authentication > User Groups.** 2. Create a new user group with the following characteristics: * **Name:** `GRP_VPN_SAML_FACESIGN` (or a descriptive name). * **Type**: `Firewall`. * **Remote Groups**: Add the SSO server created in the previous step (`Facesign SAML`) as a member of this group.

*** ### 3. IPsec VPN Tunnel Configuration This section details the creation and configuration of the IPsec tunnel. 1. Go to **VPN > IPsec Tunnels** and start the creation wizard (`VPN Creation Wizard`). 2. Select the template **Custom** and set a name for the tunnel, such as `SAML_VPN.`

3. **Network Settings (Network):** * **IP Version:** IPv4. * **Remote Gateway:** Dialup User. * **Interface**: Select the corresponding WAN interface. * **Client Address Range**: Define the range of IP addresses that will be assigned to VPN clients. * **DNS Server:** Specify the DNS servers that will be used by connected clients. * **Accessible Networks**: Define the internal networks that can be accessed through the VPN.

4. **Authentication Settings (Authentication):** * **Method**: Pre-shared Key. * **Version**: IKEv2. * **Peer Types:** Any peer ID. 5. **Phase 1 Settings (Phase 1 Proposal):** * **Encryption/Authentication:** Select the desired algorithms (e.g., AES256/SHA256). * **Diffie-Hellman Group:** Select the appropriate groups (e.g., 14, 5). * **Key Lifetime:** 86400 seconds.

6. **Phase 2 Settings (Phase 2 Selectors):** * **Encryption/Authentication:** Select the desired algorithms (e.g., AES128/SHA256). * **Enable Perfect Forward Secrecy (PFS):** Enabled. * **Diffie-Hellman Group:** Select the appropriate group (e.g., 5). * **Key Lifetime:** 43200 seconds. * **Autokey Keep Alive:** Enabled.

#### 3.1. Adjustments via Command Line (CLI) To enable EAP (Extensible Authentication Protocol) authentication, required for SAML integration, run the following commands in the FortiGate CLI:

Then configure the listening port for SAML authentication in global mode:

Finally, associate the SAML server with the corresponding network interface:

*** ### 4. Access Policy (Firewall Policy) Configuration Create a firewall policy to allow VPN traffic to the internal network. 1. Navigate to **Policy & Objects > Firewall Policy.** 2. Create a new policy with the following parameters: * **Name**: `VPN_SAML_LAN` (or a descriptive name). * **Incoming Interface:** The IPsec tunnel interface (`SAML_VPN`). * **Outgoing Interface:** Your local network (LAN) interface. * **Source**: The user group (`GRP_VPN_SAML_FACESIGN`) and the VPN IP range. * **Destination**: The local network that will be accessed. * **Service**: `ALL` (or specific services). * **Action**: `ACCEPT`. * **Inspection Mode:** Flow-based.

*** ### 5. VPN Client Configuration (FortiClient) On the endpoint client, configure the IPsec VPN connection in FortiClient. 1. Create a new VPN connection with the following settings: * **VPN Type:** IPsec VPN. * **Connection Name:** `IPSEC FACESIGN` (or a descriptive name). * **Remote Gateway**: The external address of your VPN (`vpn.facesign.in`). * **Authentication Method:** Pre-shared Key. * **Single Sign-On (SSO) for VPN Tunnel:** Enable.

2. Configure the **Phase 1** and **Phase 2** proposals so they match the settings defined on the firewall (IKE Proposal, DH Group, Key Lifetime, etc.).

*** ### 6. Connection and Authentication Process 1. In FortiClient, the user selects the connection `VPN_SAML_IPSEC` and clicks **Connect**.

2. A Facesign SAML authentication window will be displayed, requesting **biometric authentication.**

3. After successful biometric verification, the **VPN** connection is established, and the user will have access to the internal network resources defined in the firewall policy.

*** ### Support and Contact For technical support or questions, use the FaceSign Admin Portal or contact our team through the official channels.