Description
This article describes how to configure group-based policies for Azure SAML users.
Scope
Forti-VM, Azure.
Solution
- Configure the User group’s claims in the Azure portal.
- Configure two groups in the Azure AD server. For example: SSLVPNFUllACCESS and SSLVPNLIMITEDACCESS.
Configure groups under Home -> Enterprise Application -> <Name> -> SAML-Based Sign-on -> Group Claims.
Configure the following:
- Type: Security groups.
- Source attributes: sAMAccountName.
- Advanced options [Check custom]
- Name: FortigateGroups.
- Tag the group name in the FortiGate SAML configuration.
config user saml
edit "ssl-azure-saml"
set group-name "FortigateGroups" <-- Map the SAML group's claim name.
next
end
- Configure a local group in FortiGate and create a matching rule for the group-name with the Azure AD Group Name.
config user group
edit "SSLVPN_FUll_ACCESS"
set member "ssl-azure-saml"
config match
edit 1
set server-name "ssl-azure-saml"
set group-name "Object id of the Full access group" <-- This matches the Object ID of the Group Name with FUll_ACCESS.
end
end
config user group
edit "SSLVPN_LIMITED_ACCESS"
set member "ssl-azure-saml"
config match
edit 1
set server-name "ssl-azure-saml"
set group-name "Object id of the Limited Access group" <-- This matches the Object ID of the Group Name with LIMITED_ACCESS.
end
end
To check the group object-id on Azure, Checked the groups assigned under the Enterprise Application by selecting Manage -> Users and Groups -> GroupName, and copy the Object ID:
- Create an SSL VPN authentication policy. Go to VPN -> SSLVPN -> Authentication rule and fill in the following:
- Group: SSLVPNFUllACCESS, Portal: FULL_ACCESS.
- Group: SSLVPNLIMITEDACCESS, Portal: LIMITED_ACCESS.
- Create two IPv4 policies for the FULL_ACCESS and LIMITED_ACCESS groups to define the access based on requirements.
Use the following command to check group tagging for SSLVPN users:
dia firewall auth list
