| Description | This article explains how to configure and display only specific bookmarks for EntraID SAML users based on their group membership and filter by specific group IDs. |
| Scope | FortiGate 7.4, 7.6. |
| Solution |
When using the SSLVPN Web Mode or the new Agentless VPN, it may be necessary to show different bookmarks mappings for each user-group, particularly when authentication is handled via SAML with EntraID as the identity provider.
The following example illustrates a scenario in which the user belongs to both 'Group_Test1' and 'Group_Test2', with each group having distinct portal and bookmark configurations.
SAML Configuration:
config user saml edit "sslvpnsaml" set cert "Fortinet_Factory" set entity-id "https://10.10.10.10:8443/remote/saml/metadata" set single-sign-on-url "https://10.10.10.10:8443/remote/saml/login" set single-logout-url "https://10.10.10.10:8443/remote/saml/logout" set idp-entity-id "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxx/" set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxx/saml2" set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxx/saml2" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" set digest-method sha1 next end
User group configuration:
config user group edit "Group_Test1" set member "sslvpnsaml" config match edit 1 set server-name "sslvpnsaml" set group-name "xxxxxxxx-xxxx-xxxx-xxxx-entragroupx1" next end next edit "Group_Test2" set member "sslvpnsaml" config match edit 1 set server-name "sslvpnsaml" set group-name "xxxxxxxx-xxxx-xxxx-xxxx-entragroupx2" next end next end
SSL VPN web portal configuration for Group 1 and Group 2:
config vpn ssl web portal edit "Group1" set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" config bookmark-group edit "gui-bookmarks" next end set heading "Group1-Portal" set theme melongene next edit "Group2" set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" config bookmark-group edit "gui-bookmarks" next end set heading "Group2-Portal" set theme jade next end
User group bookmarks configuration:
config vpn ssl web user-group-bookmark edit "Group_Test1" config bookmarks edit "Site1_Group1" set url "www.fortinet.com" next edit "Site2_Group1" set url "community.fortinet.com" next end next edit "Group_Test2" config bookmarks edit "Site1_Group2" set url "www.fortinet.com" next edit "Site2_Group2" set url "community.fortinet.com" next end next end
Firewall policy configuration:
config firewall policy edit 1 set name "SSLVPN" set srcintf "ssl.root" set dstintf "wan1" set action accept set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable set groups "Group_Test1" "Group_Test2" next end
Once the user is authenticated, it is matched only with a single portal based on the portal mappings and firewall policy configuration. Portal matching depends on the group order in the firewall policy, or on the policy order if each policy references only a single group.
However, for user group bookmarks, each group ID returned by EntraID is matched against the firewall policy.
Case 1: The user belongs to both groups and the firewall policy is configured for only one group 'Group_Test1'.
Case 2: The user belongs to both groups and the firewall policy is configured for both groups 'Group_Test1' and 'Group_Test2'.
Note: By default, EntraID includes all group IDs the user belongs to in the SAML response. Realms can be used to simplify portal separation and matching. Although a user can be matched to only one portal at a time, they can match multiple user group bookmarks. When multiple bookmarks are matched, all of them are displayed in the portal, regardless of portal group matching. |
