Hi All,
We've successfully setup captive portal using Azure as IDP
The problem is that the redirection is to the default fgtauth page and must click on "log in using SAML Identity Provider" to sign-in with Azure account.
Which is the way to be redirected to the saml portal?
Thanks!
Hi @BuHeTy
Are you using webmode or you have Forticlient installed there , through webmode you will need to select with the option Single -Sign -On ,when using FortiClient you can enable the option " Enable Single Sign On (SSO) for VPN Tunnel and also Enable auto-login with Azure Active Directory .
Hi,
We don't use Forticlient for our host in the network.
The captive portal is policy based, not interface.Till now we've used it with radius and/or FSSO collector pulling users from our active directory MS servers.
Azure implementation works fine. Only the redirected page is the problem.
Hey,
usually you get the option screen (put in credentials OR click "Log in using SAML Identity Provider") if there are multiple possibilities how the user could be authenticated. If you have more than one group (one SAML, one LDAP for example) in that policy triggering the captive portal, FortiGate can't tell if the authentication should go to SAML or somewhere else, and thus offers the option to input credentials or go to SAML server.
You would have to remove any non-SAML group from the policy to ensure FortiGate redirects to SAML server immediately.
Hey @BuHeTy
do you have any other policies with groups the traffic could match into instead? And are those groups non-SAML groups?
It is possible that, as the user is not authenticated at this stage and there are multiple possible matches based on what group the user actually belongs to (which we will only know AFTER authentication) the FortiGate might consider more groups than just the SAML group in that policy.
I have never tested this in the lab, so I can't be certain; we would need to gather some debug from FortiGate to determine what groups FortiGate considers when triggering captive portal.
Great,
I'l try with a new azure group with only one member, not member of any other, and test and write.
Nope,
Still redirects to th fgauth page. It FortiAnalyser traffic matches the policy with deny action. When I authenticate it is then allowed and authentication server is the Azure configured.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.