Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiWeb SAML configuration for partial app protection – Can this be done

Say I have FortiWeb in front of a backend website, let’s call it and there are some general default protection policies in place on the FortiWeb.
Presume that has its own authentication scheme and user database. Users can only authenticate by visiting a specific URL where a login page is presented for them to enter their user credentials, let’s call that URL
Crucially, there are significant parts of that do not require authentication for access, these pages are open to any visitors.
As admin, I’ve decided I’m not completely convinced by the overall security of the built-in authentication scheme, but for whatever reasons, I cannot make any changes to This also means that I cannot dispose of its built-in authentication scheme.
My tactical decision is to configure the FortiWeb so that when a user requests authentication by visiting, the WAF redirects them to authenticate via a SAML-compliant IDP – in this case it would be Microsoft Entra – and once that IDP has authenticated them, the WAF will redirect them back to to proceed to authenticate ‘as usual’ using the built-in authentication scheme.
In my mind's eye the key advantage of this implementation is that it allows me to enforce MFA and Conditional Access policies as a means of better protecting while also maintaining relatively low friction in the UX.  (Admittedly this approach is of limited value if it later emerges that can be compromised some other way, but let’s overlook that for the sake of this question.)
So here we have a design which requires specific URLs within a protected site to trigger the WAF to use an external SAML IDP to authenticate access; but also requires NOT protecting the remaining URLs belonging the same application in this way. (It probably also requires the WAF-driven authentication to remain transparent from the perspective of, but I reckon if that tripped me up I'd be looking at some horrible edge case and considering myself very unlucky.)
My questions: Is such a configuration readily achievable/supported?
If so, are there any particular difficulties or challenges with its implementation that I likely want to know about?

Community Manager
Community Manager


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.



As per my understanding on this, Fortiweb can actually do the Authentication based on path specified for the Login page only. You can check this :
However once first part of Authentication done then it will direct traffic to the Application server. The second part have to be checked on how the Application handles that traffic as there will be session cookie for tracking purposes along with that traffic. So this Fortiweb will be able to just do first part of Authentication.

Gaurav Sharma

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors