FortiSASE SWG Pass-through Authentication for Chromebooks
FortiSASE Secure Web Gateway (SWG) is one of the ways to apply web filtering on Chromebook devices. This guide is a brief explanation and configuration walkthrough on achieving FortiSASE SWG pass-through authentication with Chromebook user/devices.
In order to achieve pass-through authentication for Chromebook users FortiSASE SWG SAML configuration should be pointed to the G Suite tenant that manages the Chromebook users in question. Hence, once user is logged into the laptop, subsequent browsing doesn’t trigger SWG authentication prompt providing seamless experience.
SWG User SSO
This is the configuration component that controls SAML server configuration. In our case - G Suite. FortiSASE as a Service Provider configuration is presented below (default):
Next step requires G Suite access and configuration of the SAML web app. Below is an example of how the end result will look like on FortiSASE:
G Suite Configuration
SAML Web App Configuration
When inside the admin console, locate the ‘Web and mobile apps’ option under ‘Apps’ menu. Click on ‘Add app’ and ‘Add custom SAML app’. Follow the steps described in the wizard. While going through the wizard, make sure to download the metadata file with the certificate and/or write down the SSO URLs.
Note: The Google certificate should be imported to FortiSASE prior to finishing the SWG SAML configuration (System > Certificates > Import)
Fill in the IdP fields in the FortiSASE portal with the SSO URLs presented in G Suite. Follow the rest of the wizard and configure the settings as per you requirements or leave the defaults.
Example of SAML app configuration for FortiSASE in the Google Admin console will be shown next…
FortiSASE SWG Proxy Configuration
The configuration presented in this section is one of the multiple ways of configuring proxy settings on Chromebook devices. This example targets Chromebook users in particular rather then managed Chromebook devices and points their laptops to FortiSASE SWG.
Navigate to Devices > Chrome > Settings > Users & Browsers. Locate the Network section and configure proxy settings as shown below:
For alternative ways of configuring FortiSASE SWG’s proxy settings for the Chromebook devices refer to the Fortinet’s official documentation.
Navigate to Configuration > Access > Users.
Create a user group with the remote server of SWG SSO.
This group will be referenced in the SWG policy to enforce authentication to the FortiSASE SWG.
Navigate to Configuration > Traffic > SWG Policies.
Create a new policy and make sure to reference the earlier created SWG SSO group in the User section.
The presented configuration provides a FortiSASE SWG’s pass-through authentication for Google users. However, it’s a subject to modification as per individual’s needs and requirements.
The desired effect is passing Chromebook users’ logon information into the browser’s session with FortiSASE SWG to eliminate the need of authenticating twice.
Note, this method will only work with GSuite tenant that manages Chromebook users connecting to FortiSASE SWG. Other authentication methods (local, RADIUS, LDAP users) as well as Cloud providers (Okta, Azure AD) won’t achieve the pass-through authentication effect.