Skip to main content
sioannou
sioannou
Explorer II
April 7, 2022
Question

FortiAuthenticator Self-Service Portal and SAML

  • April 7, 2022
  • 5 replies
  • 4971 views

Hi all, 

 

We have a deployment of FortiAuthenticator where we use it as our SAML IDP for all services and platforms, including portal and various FortiNet products. 

 

We are using the self-registration portal of FortiAuthenticators for user self-registration and at the same time the SAML portals are enabled to allow users to navigate to various services. The issue we are phasing is on the self-registration portal if a user tries to reset their password at the end they get redirected to the SAML Login page. Instead of the page loading they are presented with a 403 Forbidden message. 

It looks like the issue is related to the sessionid and cookiesession1 cookies set by FortiAuthenticator on the user browser. 

Has anyone came across this issue before? Is there any known workaround for this?

 

Thanks,

 

Sotiris

5 replies

A
Anonymous_User
Contributor
April 10, 2022

Hello sioannou, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

  Fortinet Community Team 

lmarinovic
Staff
lmarinovic
Staff
April 12, 2022

Hello Sotiris,

 

What is the version of FAC that you are using?

 

Best regards,

 

Lazar

sioannou
sioannouAuthor
Explorer II
April 13, 2022

Hi Lazar,

 

We have tested 6.4.2 and 6.4.3 both GA.

 

Regards,

 

Sotiris

xsilver_FTNT
Staff
xsilver_FTNT
Staff
April 14, 2022

Hi @sioannou,

not sure I completely understand it, but ...

 

I guess you have Authentication/Portals/Portals and there is defined some Portal for self-service. Not quite sure if you have Pre-Login / Password Reset, or Post-Login / Password Change actually enabled and used. It depends on what you want to allow to your users, and if they'd be allowed to reset password even without any previous authentication.

 

Then I guess you have that Portal used in Authentication/Portals/Policies .. and policy type is on top-right corner set as Self-Service Portal. So you have URL like https://<FQDN-of-your-FAC>/portal/selfservice/<policy-name>/  And there your users can do the changes.

 

Then what is the Identity Source of that policy ?

Is it pointing to realm which is SAML based or to local users ?
My guess from what you wrote is that you allow your users to self-register as local users. And then those are served to SAML SPs set/allowed via Authentication / SAML IdP. However Identity Source realm in SAML IdP / General as well as in Portals / Policy is realm pointing to local users, right ?

 

Maybe that is a bit on the edge of forum and you might consider to open technical ticket on Fortinet to provide your configuration privately and maybe to demonstrate the issue on remote session to some of my fellow engineers.

 

 

sioannou
sioannouAuthor
Explorer II
April 15, 2022

Hi Tom,

 

I will take it up with support.

 

Thanks,

 

Sotiris

Terms & ConditionsAccessibility statement