question

vpolovnikov avatar image
2 Likes"
vpolovnikov asked

FortiSASE SWG Pass-through Authentication for Chromebooks

FortiSASE SWG Pass-through Authentication for Chromebooks

Overview

FortiSASE SWG Pass-through Authentication for ChromeboFortiSASE Secure Web Gateway (SWG) is one of the ways to apply web filtering on Chromebook devices. This guide is a brief explanation and configuration walkthrough on achieving FortiSASE SWG pass-through authentication with Chromebook user/devices.

In order to achieve pass-through authentication for Chromebook users FortiSASE SWG SAML configuration should be pointed to the G Suite tenant that manages the Chromebook users in question. Hence, once user is logged into the laptop, subsequent browsing doesn’t trigger SWG authentication prompt providing seamless experience.


FortiSASE Configuration

SWG User SSO

This is the configuration component that controls SAML server configuration. In our case - G Suite. FortiSASE as a Service Provider configuration is presented below (default):
1662739033019.png


Next step requires G Suite access and configuration of the SAML web app. Below is an example of how the end result will look like on FortiSASE:

1662739064258.png


G Suite Configuration

SAML Web App Configuration

When inside the admin console, locate the ‘Web and mobile apps’ option under ‘Apps’ menu. Click on ‘Add app’ and ‘Add custom SAML app’. Follow the steps described in the wizard. While going through the wizard, make sure to download the metadata file with the certificate and/or write down the SSO URLs.

Note: The Google certificate should be imported to FortiSASE prior to finishing the SWG SAML configuration (System > Certificates > Import)

Fill in the IdP fields in the FortiSASE portal with the SSO URLs presented in G Suite. Follow the rest of the wizard and configure the settings as per you requirements or leave the defaults.

Example of SAML app configuration for FortiSASE in the Google Admin console will be shown next…

1662739125772.png


FortiSASE SWG Proxy Configuration

The configuration presented in this section is one of the multiple ways of configuring proxy settings on Chromebook devices. This example targets Chromebook users in particular rather then managed Chromebook devices and points their laptops to FortiSASE SWG.

Navigate to Devices > Chrome > Settings > Users & Browsers. Locate the Network section and configure proxy settings as shown below:

1662739178649.png

For alternative ways of configuring FortiSASE SWG’s proxy settings for the Chromebook devices refer to the Fortinet’s official documentation.


FortiSASE Configuration

User Group

Navigate to Configuration > Access > Users.

Create a user group with the remote server of SWG SSO.

1662739272188.png

This group will be referenced in the SWG policy to enforce authentication to the FortiSASE SWG.


SWG Policy

Navigate to Configuration > Traffic > SWG Policies.

Create a new policy and make sure to reference the earlier created SWG SSO group in the User section.

1662739328946.png


Summary

The presented configuration provides a FortiSASE SWG’s pass-through authentication for Google users. However, it’s a subject to modification as per individual’s needs and requirements.

The desired effect is passing Chromebook users’ logon information into the browser’s session with FortiSASE SWG to eliminate the need of authenticating twice.

Note, this method will only work with GSuite tenant that manages Chromebook users connecting to FortiSASE SWG. Other authentication methods (local, RADIUS, LDAP users) as well as Cloud providers (Okta, Azure AD) won’t achieve the pass-through authentication effect.

FortiSASESAML
1662739033019.png (245.3 KiB)
1662739064258.png (239.4 KiB)
1662739125772.png (167.8 KiB)
1662739178649.png (260.1 KiB)
1662739272188.png (235.8 KiB)
1662739328946.png (284.0 KiB)
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
firsthop avatar image
0 Likes"
firsthop answered

Thank you for this very detailed guide! I think it should be an article, really, but I don't see an option to convert a question into an article. So, I'll add an "answer just so we can mark this post as "answered" so it gets more visibility --- there's a lot of good info here.

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space