Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

FSSO for VPN Users Authenticate via Azure SAML

Hi All,


I am in need with some assistance. I am looking to enable "Full VPN Tunnel" for VPN users and control what they access based on security groups from AD. I have got the VPN working with Azure SAML authentication.

However the users are not able to access out via their designated security groups and from my understanding this is because the users that are authenticated are not getting the username/IP mapped or sent to the AD/FSSO.


Can anyone assist on how can I make my VPN work with Azure SAML at the same time using the Security Groups from AD. I do have the FSSO agent installed on the AD server. Appreciate any help that can be given/guidance.


Hello @kanes39,

FSSO is effective for Windows Logon Events. However, for VPN Logon Events, our attention should be directed to logon events on the authentication server utilized for VPN Users, in your case Azure SAML Authentication.

To set this up with Azure SAML, you can follow the configuration steps outlined in this KB: [link](

That set up would allow you to configure SSL VPN Portals per User Group, so you can control access based on their group on Azure. 

I hope that helps.


Mauricio Marin
Fortinet TAC Senior Engineer
New Contributor III

Thank you @mauromarme.

I have multiple group in the AD for instance like the below and they will have to go out via the corporate Internet for that - in that event how can I do it.

Apart from that I did observe some documentation that we can send the logging from Fortigate Firewall to the FSSO agent for updates - will that work.
- Group that is allowed to access GMAIL
- Group that is allowed to access Social Media
- Group to access Hotmail.


Thanks In Advance.

Top Kudoed Authors