VPN SSL SAML with Azure

Question

Hi All,I've done a VPN SSL on the FortiGate 7.0 with SAML Azurewhen the user that is connecting is member of one or more security group, that are only in azure, all works fine, I can see all the groups: samld_send_common_reply [120]: Attr: 10, 47, 'group' '7fff585a-535d-4bdd-a9b5-a377ac759cd9'samld_send_common_reply [120]: Attr: 10, 47, 'group' 'f97a6d8a-d341-4f5b-a504-b6865f867e63'samld_send_common_reply [120]: Attr: 10, 47, 'group' '8c9e0ebf-7265-49d7-9712-af7ce9dc853c' but as soon as the customer import a group from windows AD on prem and add this group as member of of the user I stopped to see the security groups of azure and I see only the group of windows AD Did anyone see the same behavior? Thanks :)Luca

bpozdena_FTNT · Answer

Hi Luca,

based on your brief description, it sounds like you may have enabled SAML and LDAP authentication at the same time?

It is generally recommended to remove this ambiguity by creation of separate SSL VPN realms for SAML users and LDAP users.

Examples of multi-realm configuration:

URL identifier

FQDN identifier

In your case, you will just map SAML user groups to SAML portal and LDAP user groups to LDAP portal. Example:

config vpn ssl settings 	config authentication-rule 		edit 1 			set groups "AZURE_SAML_USERS"  			set portal "full-access" 			set realm "HR" 		next 		edit 2 			set groups "LDAP_domain_users" 			set portal "full-access" 			set realm "QA" 		next 	end end

The result will be that users who access SSL VPN realm https://<FG_IP>/HR will be automatically redirected to SAML IdP login page, while users who access realm https://<FG_IP>/QA will perform standard LDAP authentication. Note that EMS can be used to push different VPN profiles to different users.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded