Description | This article describes how to set up an authentication method such as LDAP or local firewall authentication as a backup to SAML. |
Scope | FortiGate. |
Solution |
In most cases, SAML authentication requires communication with an identity provider (IDP) over the Internet. If that IDP becomes unavailable or unreachable for any reason, this will make authentication impossible. Therefore, for redundancy purposes, authentication can be set up via other means that do not require internet access such as Local firewall authentication or a locally accessible authentication server (via LDAP/RADIUS, etc.). Note that this article does not address the steps for setting up authentication authentication methods but simply how to use them together. For more info on setting up SAML outbound authentication, please refer to this article: Technical Tip: FortiGate SAML authentication resource list
Here are the steps for setting up an authentication method as a backup to SAML. In this scenario, we will be using local user authentication:
config user group
config user local next
config user group
config firewall policy
config firewall policy
Note: If for some reason the SAML IDP becomes unavailable, the captive portal does not remove the SAML login option. The prompt will remain there and login will simply fail. Users will have to reload the page, return to the authentication page, and use the local authentication method. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.