|
Description:
After configuring 'Enable Azure Auto Login' in FortiClient EMS for SSL-VPN, the FortiGate firewall sees a user (who is a member of one single group in Azure) as being a participant in multiple groups.
This wrong mapping of the group causes firewall policies to behave incorrectly as the user becomes eligible to access multiple group memberships.
Environment:
- FortiClient EMS Cloud Azure Auto Login is enabled.
- FortiGate with SSLVPN Authenticated via SAML.
- Group membership retrieved via an Azure AD SAML Assertion and External IdP (MS Graph).
Root cause:
- When Azure Auto Login is disabled (using only 'classic' SAML login), group membership mapping worked correctly, and only 1 expected group was matching.
- When Azure Auto Login is enabled, FortiGate identifies the user as part of both the interactive SAML group and the autologin SAML group.
- When both the SAML provider (Azure_SAML) and the external-identity-provider (Azure_saml_autologon) are added as members to the same FortiGate user groups, FortiGate is unaware of what IdP (SAML or MS Graph Auto Login) group membership originated from.
- Consequently, both matches occur simultaneously, so more than one group is allocated to users.
- This happens because FortiGate does not differentiate between identity providers (set member) within a group when it does matching.
Example configuration (Problematic Setup):
config user group
edit "SAML-sec-vpn-users"
"member "Azure_SAML" "Azure_SAML_autologon"
config match
edit 1
set server-name "Azure_SAML"
set group-name "<AzureObjectID-for-GroupA>"
next
end
next
edit "SAML-sec-vpn-test
set member "Azure_SAML" "Azure_saml_autologon"
config match
edit 1
set server-name "Azure_SAML"
set group-name "<AzureObjectID-for-GroupB>"
next
end
next
end
Both Azure_SAML and Azure_saml_autologon are configured as members here, so both mappings are matched by the user.
Solution:
Separate the identity providers into two separate FortiGate user groups:
- One group for the Azure SAML login
- One group for the Azure Auto Login (MS Graph)
Corrected Configuration Example:
config user group
edit "SAML-vpn-users"
set member "Azure_SAML"
config match
edit 1
set server-name "Azure_SAML"
set group-name "<AzureObjectID-for-GroupA>"
next
end
next
edit "SAML-vpn-users-autologon"
set member "Azure_saml_autologon"
config match
edit 1
set server-name "Azure_saml_autologon"
set group-name "<AzureObjectID-for-GroupB>"
next
end
next
end
Then, within SSL VPN Firewall policies:
- For users in Auto Login mode, utilize only the Azure_saml_autologon-based groups.
- For Interactive Login users, utilize only the Azure_SAML-based groups.
Important Notes:
- Make sure Azure Group Claim settings in Entra ID (Azure AD) are properly filtered to prevent unnecessary nested groups or unwanted claims.
- FortiGate matches Group ID or Group Name according to how Azure delivers the SAML token claims. Update the set group-name accordingly.
|
