Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tonyagustin
New Contributor II

Created on ‎05-06-2024 08:11 AM

FortiAuthenticator MFA - SAML

Hello.

We'd like to configure our FortiAuthenticator as SAML IdP. The first authentication factor is password from AD. We've tested several OTP options: fortitoken, sms, email, etc. and the work fine but we'd like to use another second factor: client certificate. We've used local CA or remote CA, and we've configure "certificate bindings" under user configuration, but when SAML web page is shown, it only asks for username and password, and it doesn't prompt to chose a certificate.

Anyone knows if it's possible to configure 2FA with AD password and user certificate?.

Thank you!.

Labels:
1560
0 Kudos
1 Solution
lmarinovic
Staff
Staff

Created on ‎05-13-2024 06:55 AM

Hello Tony,

 

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

 

 

Best regards,

 

Lazar

 

Best regards

Lazar Marinovic

View solution in original post

1450
7 REPLIES 7
Stephen_G
Moderator
Moderator

Created on ‎05-09-2024 04:17 AM

Hello tonyagustin,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
1492
0 Kudos
Stephen_G
Moderator
Moderator

Created on ‎05-13-2024 06:28 AM

Hello tonyagustin,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Stephen - Fortinet Community Team
1457
0 Kudos
lmarinovic
Staff
Staff

Created on ‎05-13-2024 06:55 AM

Hello Tony,

 

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

 

 

Best regards,

 

Lazar

 

Best regards

Lazar Marinovic
1451
pminarik
Staff
Staff

Created on ‎05-13-2024 06:58 AM

As far as I am aware, this is not currently supported.

Certificate-bindings are used only for EAP-TLS authentication, SAML IdP currently doesn't support client-certificate verification. You'll need a new feature request for this.

[ corrections always welcome ]
1448
tonyagustin
New Contributor II

Created on ‎05-14-2024 01:52 AM

Thank you all for your answers!

1404
True-i
New Contributor

Created on ‎05-28-2024 12:19 PM

Dear Sir،,

If you don't mind to share the steps  I need to configure authenticator using saml to login to OWA Mircosoft exchange

Thanks for your support

1278
0 Kudos
Rabah35or
New Contributor

Created on ‎09-04-2024 01:07 AM

Did MFA worked for Exchange AciveSync and AnyWhere ?

 

950
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.