Skip to main content
ThibElie
ThibElie
Explorer
November 18, 2025
Question

IPsec Dialup / SAML with multiple IdPs

  • November 18, 2025
  • 5 replies
  • 1215 views

Hello Team,

 

Our customers use SSL-VPN on their FortiGate with 2 IdPs:

  • one for their users (EntraID)
  • one for our users (also on EntraID - different tenant)

As migration from SSL-VPN to IPSec Dialup, we will need to use those 2 IdP with IPsec.

 

At the moment, it does not seem to be supported in IPsec Dialup (since the ike-saml-server is directly defined on the interface).

 

We did a PoC with FortiAuthenticator Cloud acting as SAML Proxy (routing based on domain), it works but it is a very expensive solution just to compensate a lack of support on the FortiGate...

 

Are there any other workaround?
Is the support of multiple IdPs planned in future FortiOS releases?

 

5 replies

Harper_King
Harper_King
New Member
November 18, 2025

Currently, IPsec Dialup only supports a single SAML IdP per interface, so multiple IdPs aren’t natively supported. Using FortiAuthenticator as a SAML proxy is the usual workaround, though costly. Another option is to segregate users by interface or VPN profile if feasible. You may want to raise this with Fortinet support or check release notes—there’s no public confirmation yet on multi-IdP support in future FortiOS releases.

AEK
SuperUser
AEK
SuperUser
November 18, 2025

I suppose one possible solution would be to use two WAN interfaces.

AEK
ThibElie
ThibElieAuthor
Explorer
November 19, 2025

Yes..but not all customers have 2nd public IP available...

ezhupa
Staff
ezhupa
Staff
November 19, 2025

Hello,

As mentioned by other users, multiple IdP with IPSEC is currently not possible. No news as to when that can become available (if it will become available) is known.
One possible solution as mentioned by AEK, is having multiple WAN interfaces.

Hope this helps.

    ThibElie
    ThibElieAuthor
    Explorer
    November 19, 2025

    Would it be possible to do a feature request ?

    Are there any place where other users could "vote" for it?

    ezhupa
    Staff
    ezhupa
    Staff
    November 19, 2025

    Hello

     

    A new feature request can be made, but this also goes through your sales representative.
    You would need to contact them for more information on the NFR (new feature request) process.
    As far as I know, there is no "public" process in the community for users to vote on it.

      Terms & ConditionsAccessibility statement