Skip to main content

SSO with Keycloak

Requirements

  • FortiGate with at least FortiOS 7.X
  • Keycloak (26.X ideally)

This has been tested with Keycloak 26.X and FortiOS 7.6.6

If you want seperate Permissions for Admin SSO and e. g. VPN SSO (Regular User) you need two Clients for that!

Keycloak Setup

Keycloak Client Setup (basic)

  1. Log into Keycloak and go to Clients
  2. Create new Client of Type SAML and set Client ID to http://<your-fortigate-ip-or-fqdn>/metadata 
  3. Finish the Create client wizard with default Settings for now

Keycloak Client Setup (advanced)

  • General Settings
    • Set a Display Name for Name
  • Access settings
    • Set your desired Access Address as Root URL and Home URL
    • Set https://<your-fortigate-ip-or-fqdn>/saml/?acs as Valid Redirect URIs
  • SAML capabilities
    • Set Name ID Format to username 
    • Enable Force POST Binding
  • Signature and Encryption
    • Enable Sign documents
    • Enable Sign assertions

FortiGate Setup

Preparation

  • Download the X509 Certificate from https://<your-keycloak-uri>/realms/<realm-name>/protocol/saml/descriptor
    1. Look for the Value of <ds:X509Certificate>
    2. Paste that content into a File with -----BEGIN CERTIFICATE----- as first line and -----END CERTIFICATE----- as last
  1. Log into FortiGate and go to System - Certificates
  2. Click Create/Import and select Remote Certificate
  3. Upload the previously created File

Admin SSO Configuration

  1. Log into FortiGate and go to Security Fabric - Fabric Connectors
  2. Right-Click on Security Fabric Setup - Edit - Single Sign-On Settings
    • Set Mode to Service Provider (SP)
    • Click on Use current browser address to automatically configure the SP Address Value
    • Configure the Default admin profile to your desired Settings
    • IdP Settings
      • Set IdP type to Custom
      • Set IdP certificate to whatever the Name of your previously uploaded Certificate is. Usually REMOTE_Cert_X
      • Set IdP entity ID to https://<your-keycloak-uri>/realms/<realm-name>
      • Set IdP single sign-on URL to https://<your-keycloak-uri>/realms/<realm-name>/protocol/saml
      • Set IdP single logout URL to https://<your-keycloak-uri>/realms/<realm-name>/protocol/saml
Back to top