Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sioannou
Contributor

FortiAuthenticator Self-Service Portal and SAML

Hi all, 

 

We have a deployment of FortiAuthenticator where we use it as our SAML IDP for all services and platforms, including portal and various FortiNet products. 

 

We are using the self-registration portal of FortiAuthenticators for user self-registration and at the same time the SAML portals are enabled to allow users to navigate to various services. The issue we are phasing is on the self-registration portal if a user tries to reset their password at the end they get redirected to the SAML Login page. Instead of the page loading they are presented with a 403 Forbidden message. 

It looks like the issue is related to the sessionid and cookiesession1 cookies set by FortiAuthenticator on the user browser. 

Has anyone came across this issue before? Is there any known workaround for this?

 

Thanks,

 

Sotiris

5 REPLIES 5
Anonymous
Not applicable

Hello sioannou, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

  Fortinet Community Team 

lmarinovic
Staff
Staff

Hello Sotiris,

 

What is the version of FAC that you are using?

 

Best regards,

 

Lazar

Best regards

Lazar Marinovic
sioannou
Contributor

Hi Lazar,

 

We have tested 6.4.2 and 6.4.3 both GA.

 

Regards,

 

Sotiris

xsilver_FTNT
Staff
Staff

Hi sioannou,

not sure I completely understand it, but ...

 

I guess you have Authentication/Portals/Portals and there is defined some Portal for self-service. Not quite sure if you have Pre-Login / Password Reset, or Post-Login / Password Change actually enabled and used. It depends on what you want to allow to your users, and if they'd be allowed to reset password even without any previous authentication.

 

Then I guess you have that Portal used in Authentication/Portals/Policies .. and policy type is on top-right corner set as Self-Service Portal. So you have URL like https://<FQDN-of-your-FAC>/portal/selfservice/<policy-name>/  And there your users can do the changes.

 

Then what is the Identity Source of that policy ?

Is it pointing to realm which is SAML based or to local users ?
My guess from what you wrote is that you allow your users to self-register as local users. And then those are served to SAML SPs set/allowed via Authentication / SAML IdP. However Identity Source realm in SAML IdP / General as well as in Portals / Policy is realm pointing to local users, right ?

 

Maybe that is a bit on the edge of forum and you might consider to open technical ticket on Fortinet to provide your configuration privately and maybe to demonstrate the issue on remote session to some of my fellow engineers.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

sioannou
Contributor

Hi Tom,

 

I will take it up with support.

 

Thanks,

 

Sotiris

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors