# Fortinet VPN ## **Fortinet VPN Integration via SAML Protocol** High-security integration for VPN access, easy configuration in the Fortinet environment, and simple integration with FaceSign. {% embed url="" %} ## 🔐 Configure Fortinet VPN Access via SAML with FaceSign This documentation guides step by step the configuration of the **FortiGate (FortiOS)** to allow access to the **corporate VPN using SAML authentication with FaceSign**. With this integration, your users will be able to connect to the internal network with **single sign-on (SSO)** and **biometric authentication by facial recognition**. > ✅ FaceSign is already prepared for SAML authentication. This configuration allows Fortinet to use FaceSign as **IdP (Identity Provider)**. *** ### 📋 Prerequisites Before starting, check that you have: * A device **FortiGate** with FortiOS 6.4 or higher. * Administrative access to the FortiGate (via GUI or CLI). * An active account on **FaceSign** with administrative permissions. * Your company's domain configured in FaceSign. * The SAML certificate (if required) exported from FaceSign (optional, depending on configuration). *** ### 1. Obtain SAML data from FaceSign To learn how to obtain SAML data in FaceSign click [here](https://facesign.gitbook.io/biometria/biometria-facial-en/products/mfa/saml-configuration) *** ### 2. Configure SAML on FortiGate #### Access the FortiGate interface 1. Access the FortiGate web interface (`https://`). 2. Log in as administrator. *** #### Create a new SAML Service 1. Go to **User & Authentication > Single Sign-On** 2. Click **Create New**. 3. Fill in the fields: | Field | Value | | ----------------------- | --------------------------------------------------------- | | **Name** | `FaceSign-SAML` | | **IdP Entity ID** | Paste the **Entity ID** from FaceSign | | **Single Sign-On URL** | Paste the **SSO URL** from FaceSign | | **IdP Certificate** | Import the X.509 certificate downloaded from FaceSign | | **User Name** | `name` (or `email`, according to the mapping in FaceSign) | | **Group Name** | `group` (optional, if using groups for access policies) | | **Digest Method** | SHA256 | | **Signature Algorithm** | RSA with SHA256 | | **SLO (Single Logout)** | Disabled (optional) | > ✅ Check **"Enable"** and save. *** ### 3. Create a SAML User Group 1. Go to **User & Authentication > User Groups**. 2. Click **Create New**. 3. Name the group: `VPN-Access-FaceSign` 4. In **Type**, select **Firewall**. 5. In **Members**, click **Add** and select the created SAML: `FaceSign-SAML`. 6. Save the group. *** ### 4. Configure the VPN Access Profile #### A. Enable and configure the SSL VPN 1. Go to **VPN > SSL-VPN Settings**. 2. Set: * **Listen Interface(s)**: `wan1` (or public interface) * **Listen Port**: use the configured port. * **Tunnel Mode:** enabled. 3. In **Authentication/Portal Mapping**: * Click **Create New.** * **User/Group:** select only the group created for the **SAML**. * **Portal**: select the created portal (e.g., `tunnel-access`). * Click **OK.** *** #### B. Adjust the Firewall Policy 1. Go to **Policy & Objects > IPv4 Policy**. 2. Create a new policy: * **Incoming Interface**: `ssl.root` (or SSL-VPN interface) * **Outgoing Interface**: `internal` (or internal network) * **Source**: always define the **IPs provided by the VPN** and the **group associated with the SAML.** * **Destination**: `internal-network` * **Service**: `ALL` * **Action**: `ACCEPT` * **NAT**: may be enabled or not, depending on the scenario: * **No NAT (recommended)**: when routing is done directly to the IPs provided by the VPN. * **With NAT:** only if necessary in client-to-client environments. * **Users**: Select the group `VPN-Access-FaceSign` > ✅ Save the policy. *** ### 5. Test the Connection 1. Open the **FortiClient** and enter the **VPN access URL** (can be IP or host, host with a valid certificate is recommended). 2. Make sure the **Single Sign-On** (SSO) option is enabled. 3. You will be redirected to the **FaceSign**. 4. Log in with your email. 5. Perform the **biometric authentication by facial recognition**. 6. After approved, you will be redirected to the **SSL-VPN portal.** 7. Click **"Connect"** to establish the tunnel. > 🎉 Success! You are connected to the internal network with biometric security. *** ### 🔐 Security Best Practices * Use **valid SSL certificates** on the FortiGate (not self-signed). * Limit access to the FortiGate administrative interface. * Monitor authentication logs in **Log & Report > SAML**. * Revoke users in FaceSign to immediately block access. *** ### 🛠️ Troubleshooting | Problem | Solution | | --------------------------------------- | ----------------------------------------------------------------------------- | | "Invalid SAML response" | Check the **certificate** and the **FortiGate clock** (synchronize with NTP). | | Redirection fails | Check if the **SSO URL** and **Entity ID** are correct. | | User authenticates but does not connect | Validate if the user is in the group `VPN-Access-FaceSign`. | | Certificate error | Import the FaceSign certificate correctly into the FortiGate. | *** ### 📚 Additional Resources * [Fortinet official documentation on SAML](https://docs.fortinet.com) *** > ✅ Done! Now your users can access the VPN with **security, convenience and AI-verified identity** with FaceSign. ***