We're doing an increasing number of SAML based vpn deployments and windows + azure works well. However, other combinations we are struggling with, for example.
macOS + Google workspace
windows + Google workspace varies, we see that both for mac and windows users they are authenticated but the vpn tunnel is not initiated.
chromebooks + Azure
this is using
fortios 6.4.7 and fct 7.0.1 or 7.0.2
What are other peoples experiences?
Fortinet Expert partner - Norway
some time ago I played a bit and made a SAML working on FortiAuthenticator as SP with OKTA as IdP.I guess you found out that https://docs.fortinet.com do have some SAML related stuff.FOS https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/736845/samlFAC https://docs.fortinet.com/document/fortiauthenticator/6.4.3/administration-guide
contains SAML in both Authentication and SSO.More targeted guides are in FAC Cookbook and SAML is here https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/362779/saml-authenticationWith Azure (including O365), Okta, Google things and more.But my experience is that those guides are hard to maintain, mainly because all those 3rd party elements keeps changing. And it does not matter if you do SAML, or Social logons with Facebook/Twitter etc. both keeps changing a lot.
Tom xSilver, planet Earth, over and out!
Fortigate SSL VPN naturally also works with Google Workspace IdP. Fortigate configuration will be the same as for any other IdP.
Google Workspace is a little specific in that they have used departments instead of user groups. Bellow is a sample of working config from lab.
You can also test Google's beta version of group membership.
My recommendation is to first ensure that SAML authentication works in web-mode SSL VPN. Only then focus on issues with specific versions of FortiClient or client OS.
You might want to open a support ticket for help with further debugging of SSLVPN/SAML/FortiClient.