Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lukino
New Contributor

VPN SSL SAML with Azure

Hi All,

I've done a VPN SSL on the FortiGate 7.0 with SAML Azure

when the user that is connecting is member of one or more security group, that are only in azure, all works fine, I can see all the groups:

 

samld_send_common_reply [120]: Attr: 10, 47, 'group' '7fff585a-535d-4bdd-a9b5-a377ac759cd9'
samld_send_common_reply [120]: Attr: 10, 47, 'group' 'f97a6d8a-d341-4f5b-a504-b6865f867e63'
samld_send_common_reply [120]: Attr: 10, 47, 'group' '8c9e0ebf-7265-49d7-9712-af7ce9dc853c'

 

but as soon as the customer import a group from windows AD on prem and add this group as member of of the user I stopped to see the security groups of azure and I see only the group of windows AD

 

Did anyone see the same behavior?

 

Thanks :)

Luca

1 REPLY 1
bpozdena_FTNT

Hi Luca,

 

based on your brief description, it sounds like you may have enabled SAML and LDAP authentication at the same time?

 

It is generally recommended to remove this ambiguity by creation of separate SSL VPN realms for SAML users and  LDAP users. 

 

Examples of multi-realm configuration:

URL identifier

FQDN identifier 

 

 

In your case, you will just map SAML user groups to SAML portal and LDAP user groups to LDAP portal. Example:

config vpn ssl settings
	config authentication-rule
		edit 1
			set groups "AZURE_SAML_USERS" 
			set portal "full-access"
			set realm "HR"
		next
		edit 2
			set groups "LDAP_domain_users"
			set portal "full-access"
			set realm "QA"
		next
	end
end

 

The result will be that users who access SSL VPN realm https://<FG_IP>/HR will be automatically redirected to SAML IdP login page, while users who access realm https://<FG_IP>/QA will perform standard LDAP authentication. Note that EMS can be used to push different VPN profiles to different users.