|
Users correctly configure the SAML connector:
config user saml
edit "IPsec-SAML"
set cert "Fortinet_Factory"
set entity-id "https://remote...de01:10428/remote/saml/metadata"
set single-sign-on-url "https://remote...de01:10428/remote/saml/login"
set single-logout-url "https://remote...de01:10428/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/f1a72219-.../"
set idp-single-sign-on-url "https://login.microsoftonline.com/f1a72219-.../saml2"
set idp-single-logout-url "https://login.microsoftonline.com/f1a72219-.../saml2"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
set digest-method sha1
next
Users also create both groups, with object ID restriction and the global group:
config user group
edit Specific_Group
set member IPsec-SAML
config match
edit 1
set server-name IPsec-SAML
set group-name <object ID>
next
end
next
edit "Global-group"
set member "IPsec-SAML"
next
end
config vpn ipsec phase1-interface
edit "VPN_TEST"
set type dynamic
set interface "port1"
set ike-version 2
set ipv4-dns-server1 172.17.60.6
set ipv4-dns-server2 8.8.8.8
set eap-identity send-request
set authusrgrp "Global-group"
set psksecret 11111111
set dpd-retryinterval 60
next
Although users configure the specific group in the Firewall policy, the login is successful, but it does not retrieve any group information:
config firewall policy
edit 117
set name "VPN_TEST -> LAN"
set srcintf "VPN_TEST
set dstintf "port3"
set action accept
set srcaddr "IPSec_Tunnel_Addr1"
set dstaddr "LAN2_port3 address"
set schedule "always"
set service "ALL"
set nat enable
set groups "Specific_Group"
next
Solution:
In the VPN settings, remove the global user group information configured in the 'authusrgrp' parameter:
config vpn ipsec phase1-interface
edit "VPN_TEST"
unset authusrgrp
end
end
|
