Description
This article describes how to configure SSL-VPN users authenticating against multiple SAML IdP's.
Scope
SSL-VPN with SAML authentication using multiple IdP's.
Consider a scenario where it is necessary to restrict access to SSL VPN users based on group membership, and those groups are associated with different SAML IdP's, which could be simply a multi-tenant in Microsoft Azure or different IdP's altogether, such as Forti Authenticator, GCP, Okta, DUO, and others.
Solution
In the current FortiOS design, a user group does not support more than one SAML server.
Starting with FortiOS 6.4.6, 7.0.1, and 7.2.0, although it is possible to add multiple SAML groups to a single firewall policy, the SAML groups must reference the same SAML IdP server.
It is possible though to create multiple firewall policies with specific firewall groups applied, where only one IdP is referenced at a time in each firewall policy.
However, in the case of SAML authentication for SSL VPN firewall policies where the source interface is the SSL-VPN interface and the source user group references a SAML server, the first firewall policy in the list will be used to choose what IdP the SAML request will be sent to.
In this case, any SAML authentication request will be sent to the first IdP matched in the firewall policies configured, and subsequent policies and IdP's will not be triggered, hence the authentication request may fail.
To overcome this design limitation, it is possible to leverage SSL VPN realms.
Only the firewall policies that have a group that is matching the request for that realm will be evaluated.
Therefore, the SAML request will be sent to the specific IdP configured for that SAML group.
Note.
If there is already one entry for each IdP, no changes are required under '# config user saml'.
The change required will be for the portal mapping to use the specified realm rather than the default one.
Configuration Example.
Example Environment:
FortiGate WAN Interface IP and port for SSLVPN: 192.168.1.68:1444
User lombini@robertao.me is member of group Escalations from Azure SAML IdP
User lombini@colombas.me is member of group Escalations from GCP SAML iDP
SAML SP: FortiGate
SAML IdP's: Microsoft Azure and Google Cloud Platform
SAML Servers Configuration in FortiGate:
Microsoft Azure.
Google Cloud Platform:
User groups configuration in FortiGate:
Microsoft Azure.
Google Cloud Platform:
SSL VPN Realms configuration in FortiGate:
SSL VPN Portals configuration in FortiGate:
SSL VPN Settings configuration in FortiGate:
Firewall Policies configuration in FortiGate:
Microsoft Azure:
Google Cloud Platform:
Verification of Deployment
SSL VPN users are listed on the 'SSL-VPN Monitor' widget from GUI.
Users are also listed on CLI with the command # get vpn ssl monitor.
It can also be verified from VPN Events under Log & Report -> System Events'.
Related Articles
Technical Tip: FortiGate SAML authentication resource list
Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN
Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication
Technical Tip: Create SSL VPN with Azure SAML SSO Authentication, optional multiple SSL VPN Realms
