Integrate with FortiGate SSL VPN
Support level: Community
What is FortiGate SSL VPN?
FortiGate is Fortinet's next-generation firewall. Its SSL VPN feature lets remote users connect to protected network resources through a FortiGate firewall.
-- https://www.fortinet.com/products/next-generation-firewall
Preparation
The following placeholders are used in this guide:
fortigate.companyis the FQDN of your FortiGate SSL VPN.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
Prerequisites
- A working FortiGate SSL VPN configuration.
- A FortiGate local certificate to use for the SAML service provider (SP).
- An authentik certificate to use for signing SAML responses.
authentik configuration
To support the integration of FortiGate SSL VPN with authentik, you need to create an application/provider pair in authentik.
Create a user group
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Directory > Groups and click Create.
- Set a descriptive name for the group, for example
FortiGate SSL VPN Users. - Add the users who should have access to FortiGate SSL VPN.
- Click Save.
Create an application and provider in authentik
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the Slug value because it will be required later.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://fortigate.company/remote/saml/login. - Set the Audience to
https://fortigate.company/remote/saml/metadata. - Set the SLS URL to
https://fortigate.company/remote/saml/logout. - Under Advanced protocol settings:
- Set Signing Certificate to the certificate authentik should use to sign SAML responses.
- Enable Sign responses.
- Set the ACS URL to
- Configure Bindings: create a binding to the FortiGate SSL VPN user group.
-
Click Submit to save the new application and provider.
Download the signing certificate
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the FortiGate SSL VPN provider.
- Click Download under Download signing certificate. You will import this certificate into FortiGate.
FortiGate configuration
Import the authentik signing certificate
- Log in to the FortiGate administrative interface.
- Navigate to System > Certificates.
- Select Create/Import > Remote Certificate.
- Upload the authentik signing certificate you downloaded earlier.
- Note the certificate name that FortiGate assigns to the imported certificate.
Create the SAML single sign-on server
SSH into FortiGate and run the following commands, replacing authentik-signing-certificate with the imported authentik certificate name and Fortinet_Factory with the FortiGate local certificate that FortiGate should use as the SP certificate.
config user saml
edit "authentik-sso"
set cert "<Your Fortinet Cert>"
set entity-id "https://fortigate.company/remote/saml/metadata"
set single-sign-on-url "https://fortigate.company/remote/saml/login"
set single-logout-url "https://fortigate.company/remote/saml/logout"
set idp-entity-id "https://authentik.company/application/saml/<application_slug>/metadata/"
set idp-single-sign-on-url "https://authentik.company/application/saml/<application_slug>/"
set idp-single-logout-url "https://authentik.company/application/saml/<application_slug>/"
set idp-cert "authentik-signing-certificate"
set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
set group-name "http://schemas.xmlsoap.org/claims/Group"
set digest-method sha256
next
end
Create the FortiGate user group
Run the following commands, replacing FortiGate SSL VPN Users with the exact name of the authentik group whose members should have VPN access.
config user group
edit "sslvpn-users"
set member "authentik-sso"
config match
edit 1
set server-name "authentik-sso"
set group-name "FortiGate SSL VPN Users"
next
end
next
end
Add the group to SSL VPN
- In the FortiGate administrative interface, navigate to VPN > SSL-VPN Settings.
- In the Authentication/Portal Mapping table, create a mapping for the
sslvpn-usersgroup and select the SSL VPN portal that group should use. - Apply your changes.
- Ensure that the SSL VPN firewall policy includes the
sslvpn-usersgroup.
If users are redirected back to authentik with an immediate logout after authentication, confirm that the FortiGate user group is mapped to an SSL VPN portal and included in the relevant firewall policy.
Configuration verification
To confirm that authentik is properly configured with FortiGate SSL VPN, open the FortiGate SSL VPN portal. You should be redirected to authentik to authenticate, and then redirected back to the FortiGate SSL VPN portal.
If you use FortiClient tunnel mode, enable Enable Single Sign On (SSO) for VPN Tunnel in the FortiClient SSL VPN connection settings.
Troubleshooting
To enable SAML debug logging in FortiGate, run the following commands:
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug enable
Check that the user-name and group-name values in FortiGate exactly match the SAML attribute names sent by authentik, and that the FortiGate user group match uses the exact authentik group name.