Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

Advice on what's needed for SAML

Hi all,

I'm trying to move our VPN's away from SSL to IPSEC which I've managed to do for our Windows machines (which are the majority) but I've been struggling to get iPads to work so I've managed to get them working on IKEv2 with a pre shared key as long as i don't enable 2FA (just to confirm the VPN works) but I've found an updated post on Fortinet that due to a limitation on IOS that you can't use 2FA on IPSEC with a pre-shared key and the only option is to use SAML certificates however there seems to be a lot of confusing information on going about this and what exactly is needed.....so....am i correct in understanding that to get iPads to connect using IKEv2 and 2FA that i only need our FortiGate 100F and an identity provider such as Azure ? I don't NEED EMS or anything else to get this to work do i ? 

Also can the 100F do the IdP part as well instead of Azure etc just so it's all contained on the one box ?

I'm just trying to clarify what different devices/platforms i need to get together before i start down this road in case there is any extra cost ?

Any advice will be great.

1 Solution
ForgetItNet
Contributor

Thanks Anthony, you can close this off now as i've managed to get it setup in the meantime but if anyone else comes across this with the same question i've found that you only need Azure and the Fortigate and nothing else. The EMS "can" push out configs to the end devices if you have it so it makes rolling it out easier and it will also allow a greater range of control to what resources you want users to access but it's not needed for the SSO. This also then removes the need for the Fortitoken 2FA as the 2FA is done via Microsoft SSO (and we use sms code to users phones for this anyway)

View solution in original post

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
ForgetItNet
Contributor

Thanks Anthony, you can close this off now as i've managed to get it setup in the meantime but if anyone else comes across this with the same question i've found that you only need Azure and the Fortigate and nothing else. The EMS "can" push out configs to the end devices if you have it so it makes rolling it out easier and it will also allow a greater range of control to what resources you want users to access but it's not needed for the SSO. This also then removes the need for the Fortitoken 2FA as the 2FA is done via Microsoft SSO (and we use sms code to users phones for this anyway)

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors