Skip to main content
systemgeek
systemgeek
Visitor III
April 25, 2024
Solved

Fortigate client based ssl-vpn with saml group matching

  • April 25, 2024
  • 2 replies
  • 2929 views

I am testing out client based ssl-vpn using SAML Auth.  When I debug saml on the fortigate I see that group that comes back from SAML is correct but I am getting added to the wrong portal. 

 

I have users group configured as per https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-with-entra-id-acting-as-saml-idp with:

config user group

edit FortiGateAccess

set member azure

config match

edit 1

set server-name azure

set group-name <object ID>

next

end

next

end

 

How does the fortigate relate the group name to the portal name?

Best answer by dbu

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

2 replies

systemgeek
systemgeekAuthor
Visitor III
April 25, 2024

In ssl-vpn settings I see at the bottom Authentication/Portal Mapping.  So does that mean the group name from saml must match the portal name?

dbu
Staff
dbu
Staff
April 25, 2024

Hi @systemgeek ,

I believe you need to create authentication rules  with multi-realm : 

SSL VPN multi-realm | FortiGate / FortiOS 7.4.3 | Fortinet Document Library

SSL VPN authentication | FortiGate / FortiOS 7.2.8 | Fortinet Document Library

systemgeek
systemgeekAuthor
Visitor III
April 25, 2024

It looks like the ssl-vpn multi-realms is for setting individual login pages for different realms.

 

I want to know what connects the group attribute that SAML returns to the vpn portal.  I am pretty sure I deleted something or broke something and thats why its not working right.  Authentication Settings might be it but I am clueless on how to configure it right.

dbu
Staff
dbuAnswer
Staff
April 25, 2024

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

Terms & ConditionsAccessibility statement