Skip to main content
hallboys
hallboys
New Member
September 26, 2022
Solved

Root Fortigate as both SP (Azure) and IdP for downstream nodes

  • September 26, 2022
  • 1 reply
  • 1155 views

I have configured SAML SSO for management on the root Fortigate (200F, 7.2.1) with fortigate as SP and Azure as IdP and it works fine.  However, when I join downstream Fortigates (40F, 7.2.1) and leave the SSO as "Auto", it is stuck in "Pending" forever.  I am assuming that this is because the root is not acting as an IdP.  Wondering if it is possible for the root Fortigate to act as both SP (for azure) and IdP for downstream nodes.  Any help is appreciated.

Thanks

SV

 

Best answer by pminarik

As it is currently designed, each FortiGate can only act as either SP or an IdP, including the root.

It is not possible for a FortiGate to act as a "SAML proxy", i.e. acting as IdP towards downstream FortiGates and proxying the requests to another IdP (acting as an SP towards that IdP).

 

If FAC is "on the table", you could consider using its SAML proxy feature. That way all of your FortiGates would point to the FAC as their IdP, and the FAC would proxy this to Azure. But this only really makes sense if you want the FAC to actually do something useful in the flow (e.g. injecting 2FA with FortiTokens), or if there is some administrative limitation in Azure. (maybe you cannot, or don't want to, make an SP entry in Azure for each and every FortiGate? etc.)

1 reply

pminarik
Staff
pminarikAnswer
Staff
September 27, 2022

As it is currently designed, each FortiGate can only act as either SP or an IdP, including the root.

It is not possible for a FortiGate to act as a "SAML proxy", i.e. acting as IdP towards downstream FortiGates and proxying the requests to another IdP (acting as an SP towards that IdP).

 

If FAC is "on the table", you could consider using its SAML proxy feature. That way all of your FortiGates would point to the FAC as their IdP, and the FAC would proxy this to Azure. But this only really makes sense if you want the FAC to actually do something useful in the flow (e.g. injecting 2FA with FortiTokens), or if there is some administrative limitation in Azure. (maybe you cannot, or don't want to, make an SP entry in Azure for each and every FortiGate? etc.)

Terms & ConditionsAccessibility statement