Say I have FortiWeb in front of a backend website, let’s call it https://resources.com and there are some general default protection policies in place on the FortiWeb.
Presume that https://resources.com has its own authentication scheme and user database. Users can only authenticate by visiting a specific URL where a login page is presented for them to enter their user credentials, let’s call that URL https://resources.com/login
Crucially, there are significant parts of https://resources.com that do not require authentication for access, these pages are open to any visitors.
As admin, I’ve decided I’m not completely convinced by the overall security of the built-in authentication scheme, but for whatever reasons, I cannot make any changes to https://resources.com. This also means that I cannot dispose of its built-in authentication scheme.
My tactical decision is to configure the FortiWeb so that when a user requests authentication by visiting https://resources.com/login, the WAF redirects them to authenticate via a SAML-compliant IDP – in this case it would be Microsoft Entra – and once that IDP has authenticated them, the WAF will redirect them back to https://resources.com/login to proceed to authenticate ‘as usual’ using the built-in authentication scheme.
In my mind's eye the key advantage of this implementation is that it allows me to enforce MFA and Conditional Access policies as a means of better protecting https://resources.com/login while also maintaining relatively low friction in the UX. (Admittedly this approach is of limited value if it later emerges that https://resources.com can be compromised some other way, but let’s overlook that for the sake of this question.)
So here we have a design which requires specific URLs within a protected site to trigger the WAF to use an external SAML IDP to authenticate access; but also requires NOT protecting the remaining URLs belonging the same application in this way. (It probably also requires the WAF-driven authentication to remain transparent from the perspective of https://resources.com, but I reckon if that tripped me up I'd be looking at some horrible edge case and considering myself very unlucky.)
My questions: Is such a configuration readily achievable/supported?
If so, are there any particular difficulties or challenges with its implementation that I likely want to know about?
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks
Hello,
As per my understanding on this, Fortiweb can actually do the Authentication based on path specified for the Login page only. You can check this : https://docs.fortinet.com/document/fortiweb/7.4.2/administration-guide/349825/site-publishing-single...
However once first part of Authentication done then it will direct traffic to the Application server. The second part have to be checked on how the Application handles that traffic as there will be session cookie for tracking purposes along with that traffic. So this Fortiweb will be able to just do first part of Authentication.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.