Skip to main content
yang121
yang121
New Member
October 19, 2022
Question

Forticlient and SAML to Azure

  • October 19, 2022
  • 1 reply
  • 1417 views

We’ve been authenticating our VPN on prem. I’m interested in changing it to SAML via Azure, but had a few questions. First, we have multiple locations, but for the most part each one are different groups. People at location B won’t VPN to location A or C or D. Do you use a different enterprise application in Azure for each site, or one app for all and manage access after the connection?

Second, our devices are all Azure joined and Intune enrolled. What is the user experience like while connecting? Does SSO kick in and reduce login prompts at all? This would be a huge benefit.

1 reply

kiri
Staff & Editor
kiri
Staff & Editor
October 20, 2022

Hi yang121,

You can use the same enterprise application for all 3 locations/firewalls.
On Azure side, all the 3 groups should be allowed to connect.
You will filter/restrict the groups on each firewall.

config user group
edit "AzureGroup"
set member "Azuresaml"
config match
edit 1
set server-name "Azuresaml"
set group-name "azuregroupidA"
next
end
next

Only members of azuregroupidA can connect to this firewall.
This should work fine as long as the users aren't members of all 3 groups at once.

Regarding Intune, I didn't test that yet and I don't have an answer.
Maybe another member of the community could answer that.
Otherwise, I'll see if I can some back with a response in the next few days.

JohnHogman
JohnHogman
New Member
October 5, 2023

Hi,

 

But you specify the Fortigates IP/DNS  in the Enterprise application under "Basic SAML configuration". So I guess you need to have one Enterprise application per Fortigate that authenticates SAML users?

Terms & ConditionsAccessibility statement