FortiAuthenticator MFA - SAML

Forum|Forum|2 years ago
May 6, 2024
7 replies
3382 views

Hello.

We'd like to configure our FortiAuthenticator as SAML IdP. The first authentication factor is password from AD. We've tested several OTP options: fortitoken, sms, email, etc. and the work fine but we'd like to use another second factor: client certificate. We've used local CA or remote CA, and we've configure "certificate bindings" under user configuration, but when SAML web page is shown, it only asks for username and password, and it doesn't prompt to chose a certificate.

Anyone knows if it's possible to configure 2FA with AD password and user certificate?.

Thank you!.

FortiAuthenticator

Best answer by lmarinovic

Hello Tony,

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

Mandatory password and OTP
All configured password and OTP factors
Password-only
OTP-only
FIDO

Best regards,

Lazar

Stephen_G

Moderator

Hello tonyagustin,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen_G - Fortinet Community Team

Stephen_G

Moderator

Hello tonyagustin,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Stephen_G - Fortinet Community Team

lmarinovicAnswer

Staff

Hello Tony,

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

Mandatory password and OTP
All configured password and OTP factors
Password-only
OTP-only
FIDO

Best regards,

Lazar

pminarik

Staff

As far as I am aware, this is not currently supported.

Certificate-bindings are used only for EAP-TLS authentication, SAML IdP currently doesn't support client-certificate verification. You'll need a new feature request for this.