Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎08-07-2024 04:18 PM Edited on ‎08-07-2024 04:23 PM

EMS Authentication Server with multiple domains

When adding an authentication server in EMS I only ever get 1 domain even when the tenant has multiple domains registered and synced. These aren't subdomains but two different unique domains.

example1.com
example2.com


The only information I provide is the tenant ID, client ID, and secret. And then I only get 1 domain available for doing user to OU matching to assign policies.

How do I get all of the available domains that are synced in azure so I can can assign policies? Currently I have to create workgroups and assign the users to that either manually or with group assignment rules.

 

Capture1232131.PNG

Labels:
1267
0 Kudos
1 Solution
Anil_Solakoglu
Staff
Staff

Created on ‎08-19-2024 02:30 AM

Hello,

 

In the earlier stages of 7.2.x we used to provide a workaround like described below.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Transforming-users-attributes-while-veri...

 

This behavior changed after 7.2.3 due to a resolved issue over bug 953051.

 

Starting from version EMS 7.2.3 supports UPNs with different domain names rather than the imported one, as long as the SAML attributes contain the right user UPN.

 

https://docs.fortinet.com/document/forticlient/7.2.3/windows-release-notes/22791/resolved-issues

View solution in original post

893
14 REPLIES 14
pminarik
Staff
Staff
In response to aguerriero

Created on ‎08-14-2024 07:42 AM

I see, thanks for clarifying.

Unless someone comes in and corrects me, this feels like a scenarion that we may not have accounted for, and may need an NFR or a "bug fix", depending on how it ends up being classified. I would recommend opening a TAC ticket to get attention on this.

[ corrections always welcome ]
361
0 Kudos
aguerriero
Contributor II
In response to pminarik

Created on ‎08-14-2024 10:14 AM

This seems to be working, kind of, after upgrading from 7.2.1 to 7.2.3. I don't know if anything else doesn't work after the upgrade but users from both UPNs can now verify.

352
sw2090
SuperUser
SuperUser

Created on ‎08-14-2024 04:58 AM

Sorry I have no experience with EMS yet as we do not yet use it.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
432
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-14-2024 05:06 AM

Thanks guys for answering so quickly :)

Jean-Philippe - Fortinet Community Team
420
0 Kudos
Anil_Solakoglu
Staff
Staff

Created on ‎08-19-2024 02:30 AM

Hello,

 

In the earlier stages of 7.2.x we used to provide a workaround like described below.

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Transforming-users-attributes-while-veri...

 

This behavior changed after 7.2.3 due to a resolved issue over bug 953051.

 

Starting from version EMS 7.2.3 supports UPNs with different domain names rather than the imported one, as long as the SAML attributes contain the right user UPN.

 

https://docs.fortinet.com/document/forticlient/7.2.3/windows-release-notes/22791/resolved-issues

894
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.