Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LouisG
New Contributor

Fortigate Azure AD as a SAML IdP for outbound firewall rule and SAML SSO login for SSL VPN

Hello everyone,

 

We have followed these two cookbooks :

  1. Outbound firewall authentication with Azure AD as a SAML IdP

  2. Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP

 

Actually, we are able to make it work but separately. I mean :

  • If we configure these two cookbooks in our FortiGate, only the "SAML SSO login for SSL VPN with Azure AD acting as SAML IdP" part will work.
  • If we configure only one of them without the other, it works. For example, we only configure the "Outbound firewall authentication with Azure AD as a SAML IdP" part and it works.

We have tried Azure AD External Connectors for both and only one for tyo but the result was the same... Does anyone have been able to make these two works together ? We have a FortiGate 100F in FortiOS version 7.2.5.

 

Feel free to ask if you need more infornations. Thank you !

 

---------------------------------------------------------------------------------------------------------

 

SOLUTION : The problem was in the group declaration. You absolutely need to declare your groups 2 times. One time for the SAML SSO login for SSL VPN and one other time for the Azure AD as a SAML IdP for outbound firewall.

3 REPLIES 3
Stephen_G
Moderator
Moderator

Hi LouisG,

 

Thank you for using our Community Forum. I am glad you were able to find a solution and you could share it with us!

 

Feel free to get in touch with any further queries. Otherwise, anybody with similar experiences or information is welcome to share it.

Stephen - Fortinet Community Team
mgoswami
Staff
Staff

Hi,

 

If you have disabled Split Tunneling for SSL VPN, in that case, on the Policy which you have created for the SSL VPN users to access Internet, you would need to call the SAML USER GROUP. This group will be for the non gallery application which you have created for authenticating the users for internet access. Along with this, you would also need to call the SAML group which you have created for SSL VPN application on the IDP.

 

Note that these 2 groups are not same. There groups will be for the 2 applications which you have created on the IDP. One user may be allowed to connect to SSL VPN but restricted to access Internet based on the users called in both these applications on the IDP.

 

BR,

Manosh

 

LouisG

Hello mgoswami,

 

Yes it makes sense now... Thank you for the precisions !

Have a great day.

 

Best regards,

Louis

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors