Skip to main content
EddieAllen3
EddieAllen3
New Member
February 7, 2023
Question

SSL VPN auth question

  • February 7, 2023
  • 2 replies
  • 1540 views

Hi,

 

          So I currently have a ssl vpn setup using AD with user certs.   I am trying to keep the that setup active but create a azure saml auth so that I can move everyone over to that and remove the AD/cert.    The issue I have run into is it seems I need to use realms for this to happen as even turning off the global user cert check and turning it on the auth rule/groups it still checked for certs when using a saml user. 

 

I am wondering if I can leave the setup as is and then move the saml part over to a realm or do I have to have a seperate realm for each dif auth for it to work?    The main issue is I have around 40 remote users and I do not have EMS so I have to manually install a new version of forticlient and reconfigure the  connection profile.   I want to avoid having to go back a 2nd time and doing anything on the clients if I have can. 

 

Eddie 

2 replies

gfleming
Staff
gfleming
Staff
February 7, 2023

I believe using realms would be the best way to do what you want. Is there an issue with using realms this case?

 

Apart from that I don't see how it can be accomplished...

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
February 8, 2023

Hey Eddie,

 

I believe having the SAML authentication restricted to a specific realm (and the AD/cert auth with default realm "/") should be sufficient, but there were a few bugs around FortiGate still prompting certificates with the default realm in use, so you might need to do specific realms for both methods.

I understand this requires updating the FortiClient configurations to point to the new VPN gateway (including realm), but you should not be required to install a new version of FortiClient for that change.
I assume you already have a FortiClient set up to connect for the SAML authentication? I would suggest adding a realm for SAML, then trying to connect to the new realm. If that fails due to the certificate requirement, then you will need two separate realms, and will also need to update the clients still using AD/cert auth to access the new realm.

EddieAllen3
EddieAllen3Author
New Member
February 10, 2023

I created a realm for just the saml config and it does work so far but I have not implemented saml yet except for a few users.    After upgrading a few of the client I purchased EMS so I can avoid doing this manual work again going forward.    Now I have to get it all work in EMS so I can do 1 final manual install.    I think I am going to make 2 profiles so there are not issues and then convert all of them using EMS over to saml at one time.  I have never used EMS so we will see how it goes.

Terms & ConditionsAccessibility statement