Skip to main content
ForgetItNet
ForgetItNet
Explorer II
May 13, 2025
Solved

Advice on what's needed for SAML

  • May 13, 2025
  • 3 replies
  • 940 views

Hi all,

I'm trying to move our VPN's away from SSL to IPSEC which I've managed to do for our Windows machines (which are the majority) but I've been struggling to get iPads to work so I've managed to get them working on IKEv2 with a pre shared key as long as i don't enable 2FA (just to confirm the VPN works) but I've found an updated post on Fortinet that due to a limitation on IOS that you can't use 2FA on IPSEC with a pre-shared key and the only option is to use SAML certificates however there seems to be a lot of confusing information on going about this and what exactly is needed.....so....am i correct in understanding that to get iPads to connect using IKEv2 and 2FA that i only need our FortiGate 100F and an identity provider such as Azure ? I don't NEED EMS or anything else to get this to work do i ? 

Also can the 100F do the IdP part as well instead of Azure etc just so it's all contained on the one box ?

I'm just trying to clarify what different devices/platforms i need to get together before i start down this road in case there is any extra cost ?

Any advice will be great.

Best answer by ForgetItNet

Thanks Anthony, you can close this off now as i've managed to get it setup in the meantime but if anyone else comes across this with the same question i've found that you only need Azure and the Fortigate and nothing else. The EMS "can" push out configs to the end devices if you have it so it makes rolling it out easier and it will also allow a greater range of control to what resources you want users to access but it's not needed for the SSO. This also then removes the need for the Fortitoken 2FA as the 2FA is done via Microsoft SSO (and we use sms code to users phones for this anyway)

3 replies

Anthony_E
Staff
Anthony_E
Staff
May 16, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
May 19, 2025

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
    ForgetItNet
    ForgetItNetAuthorAnswer
    Explorer II
    May 19, 2025

    Thanks Anthony, you can close this off now as i've managed to get it setup in the meantime but if anyone else comes across this with the same question i've found that you only need Azure and the Fortigate and nothing else. The EMS "can" push out configs to the end devices if you have it so it makes rolling it out easier and it will also allow a greater range of control to what resources you want users to access but it's not needed for the SSO. This also then removes the need for the Fortitoken 2FA as the 2FA is done via Microsoft SSO (and we use sms code to users phones for this anyway)

      Terms & ConditionsAccessibility statement