Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kkoshan
New Contributor

FortiManager SSO account can't delete/authorize a device but local account with the same profile can

Hi,

 

We have recently enabled SSO SAML Authentication on our FortiManager and FortiAnalyzer (Firmware 7.2.2) and we have managed to make it work. Logins are successful and SSO SAML users are getting the correct Admin Profile, however they get error messages when they try to Authorize a new device or delete current device in FortiManager. When I am using a local admin account with the same Admin profile, it can authorize and delete devices with no issues.

 

KK
KK
6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Hello KK,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
gfleming
Staff
Staff

What system is acting as the SAML IDp? Is this FortiCloud IAM stuff? Azure AD?


How are you confirming users are getting the correct Admin Profile?

Cheers,
Graham
Komeo
New Contributor

Hello, 

Same behavior here.
It seems this occures sinse the last upgrade.
We are using SSO SAML for several weeks with no issues.
Since the last upgrade (fotigate to 7.2.4 due to the last CVE, and fortimanager to 7.2.2) SSO admins cannot refresh devices, the re-install policies fails to etc
Tried to delete the user and reconnect with no effect.

Regards, 
Teddy

mhering-Forti
New Contributor

Having similar issues with SAML login to FortiManager (Azure AD as the IDP)  admins are super users and can do most functions (Create/Edit policy, add users/devices etc etc), but some functions just don't work.  For example, when attempting to create a VPN Template get "no workspace permission" even though I have a valid workspace session etc.   Also cannot edit scripts.   Local logins work fine.  Admittedly older version of FM (7.0.2)  

rwatkins1145
New Contributor

Same issues. Are there any updates on this?

vraev
Staff
Staff

Hello,

 

Please review the output from the following debug command(CLI under local admin):

diagnose debug application authd 255
diagnose debug enable

Then tried to login with the user with the problem. Also, please review the profile that is related with this user and if the JSON api is allowed or not.

 

To stop it:
d de dis
d de reset

V.R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors