Hello,
We have virtual FortiGate, deployed in Azure. We activated Remote Access VPN (FortiVPN) and integrated it with SAML Azure. Authentication don based Group. And I have question regarding these groups.
For example:
If i Have group_1 which have access to server_1 and server_2, also i have user_A which is member of group_1.
Also I have group_2 which has access to Server_3, and user_B.
And User_A can access to servers which is provided be group_1
And User_B can access to servers which is provided be group_2
But If I then need to provide for User_A access to the Server_3 what do I need to do? Do I need to add this user also to Group_2? or I need to create Group_3, provide for this group accesss to server_1, server_2, server_3 and then add to this group User_A?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@1mm,
Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.
Regards,
Thanks @hbac
As I understood there is no possibility when user can be member of several groups?
Hello @1mm
That's completly up to you.
You can create a new group and add that user or you can add that user to multiple groups.
Regards,
Thanks @mauromarme
I did some tests:
I created on Azure 2 groups. Group_A and Group_B. I mapped it to fortigates. Group_A I selected as group for authentication (When you can select group in VPN settings and then map it to the portal) and provided some type of accesses. I added user to the Group_A and this user had access to the servers which were accepted for Group_A. Then I addess several rules for where I select as source also Group_B and added useres additionally to this group but he didnot recieve access to servers for Group_B (I didnot map this group to the portal in VPN settings). Where is the issue or misconfiguration?
Are there any ideas?
Hey 1mm,
in principle, as long as SAML server returns all group memberships in the assertions, then FortiGate should know the user is member of multiple groups, and allow access to policies accordingly.
Please ensure you have the following set up:
- user groups with remote SAML server as member, and filtering on the group name sent by SAML
- in the SAML server settings, ensure FortiGate is set up with correct assertions:
config user saml
edit <SAML server>
set group-name <group assertion>
end
As an example:
- SAML server sends the group name in an assertion called "group", then in FortiGate you need 'set group-name "group"'
- SAML server sends the group name in an assertion called "group-id" then in FortiGate you need 'set group-name "group-id"'
@1mm,
Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B.
Regards,
Hi @1mm
Both groups should be mapped on the SSL VPN configuration.
If you only map Group_A to SSL, the only rules that are going to work are the ones for Group_A.
Thanks friends for help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.