We’ve been authenticating our VPN on prem. I’m interested in changing it to SAML via Azure, but had a few questions. First, we have multiple locations, but for the most part each one are different groups. People at location B won’t VPN to location A or C or D. Do you use a different enterprise application in Azure for each site, or one app for all and manage access after the connection?
Second, our devices are all Azure joined and Intune enrolled. What is the user experience like while connecting? Does SSO kick in and reduce login prompts at all? This would be a huge benefit.
You can use the same enterprise application for all 3 locations/firewalls. On Azure side, all the 3 groups should be allowed to connect. You will filter/restrict the groups on each firewall.
config user group edit "AzureGroup" set member "Azuresaml" config match edit 1 set server-name "Azuresaml" set group-name "azuregroupidA" next end next
Only members of azuregroupidA can connect to this firewall. This should work fine as long as the users aren't members of all 3 groups at once.
Regarding Intune, I didn't test that yet and I don't have an answer. Maybe another member of the community could answer that. Otherwise, I'll see if I can some back with a response in the next few days.
But you specify the Fortigates IP/DNS in the Enterprise application under "Basic SAML configuration". So I guess you need to have one Enterprise application per Fortigate that authenticates SAML users?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.