Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yang121
New Contributor

Forticlient and SAML to Azure

We’ve been authenticating our VPN on prem. I’m interested in changing it to SAML via Azure, but had a few questions. First, we have multiple locations, but for the most part each one are different groups. People at location B won’t VPN to location A or C or D. Do you use a different enterprise application in Azure for each site, or one app for all and manage access after the connection?

Second, our devices are all Azure joined and Intune enrolled. What is the user experience like while connecting? Does SSO kick in and reduce login prompts at all? This would be a huge benefit.

10.0.0.0.1 192.168.1.254
2 REPLIES 2
kiri
Staff
Staff

Hi yang121,

You can use the same enterprise application for all 3 locations/firewalls.
On Azure side, all the 3 groups should be allowed to connect.
You will filter/restrict the groups on each firewall.

config user group
edit "AzureGroup"
set member "Azuresaml"
config match
edit 1
set server-name "Azuresaml"
set group-name "azuregroupidA"
next
end
next

Only members of azuregroupidA can connect to this firewall.
This should work fine as long as the users aren't members of all 3 groups at once.

Regarding Intune, I didn't test that yet and I don't have an answer.
Maybe another member of the community could answer that.
Otherwise, I'll see if I can some back with a response in the next few days.

JohnHogman

Hi,

 

But you specify the Fortigates IP/DNS  in the Enterprise application under "Basic SAML configuration". So I guess you need to have one Enterprise application per Fortigate that authenticates SAML users?

Top Kudoed Authors