Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
1mm
Contributor

Fortigate FortiVPN

Hello,

We have virtual FortiGate, deployed in Azure. We activated Remote Access VPN (FortiVPN) and integrated it with SAML Azure. Authentication don based Group. And I have question regarding these groups.

 

For example:

If i Have group_1 which have access to server_1 and server_2, also i have user_A which is member of group_1.

Also I have group_2 which has access to Server_3, and user_B. 

 

And User_A can access to servers which is provided be group_1

And User_B can access to servers which is provided be group_2

But If I then need to provide for User_A access to the Server_3 what do I need to do? Do I need to add this user also to Group_2? or I need to create Group_3, provide for this group accesss to server_1, server_2, server_3 and then add to this group User_A? 

 

1 Solution
hbac

@1mm,

 

Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B. 

 

Regards, 

View solution in original post

12 REPLIES 12
hbac
Staff
Staff

Hi @1mm,

 

It is better to move User_A to a new group which has access to Server1,2,3. 

 

Regards, 

1mm
Contributor

Thanks @hbac 

As I understood there is no possibility when user can be member of several groups? 

mauromarme
Staff
Staff

Hello @1mm 
That's completly up to you.
You can create a new group and add that user or you can add that user to multiple groups. 
Regards,

Mauricio Marin
Fortinet TAC Senior Engineer
1mm

Thanks @mauromarme 

I did some tests: 

I created on Azure 2 groups. Group_A and Group_B. I mapped it to fortigates. Group_A I selected as group for authentication (When you can select group in VPN settings and then map it to the portal) and provided some type of accesses. I added user to the Group_A and this user had access to the servers which were accepted for Group_A. Then I addess several rules for where I select as source also Group_B and added useres additionally to this group but he didnot recieve access to servers for Group_B (I didnot map this group to the portal in VPN settings). Where is the issue or misconfiguration? 

1mm
Contributor

Are there any ideas? 

Debbie_FTNT

Hey 1mm,

in principle, as long as SAML server returns all group memberships in the assertions, then FortiGate should know the user is member of multiple groups, and allow access to policies accordingly.

Please ensure you have the following set up:
- user groups with remote SAML server as member, and filtering on the group name sent by SAML

- in the SAML server settings, ensure FortiGate is set up with correct assertions:
config user saml
edit <SAML server>
set group-name <group assertion>
end

 

As an example:
- SAML server sends the group name in an assertion called "group", then in FortiGate you need 'set group-name "group"'
- SAML server sends the group name in an assertion called "group-id" then in FortiGate you need 'set group-name "group-id"'

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
hbac

@1mm,

 

Both group A and B must be mapped under SSL-VPN Settings. You also need firewall policy to allow group B. 

 

Regards, 

mauromarme

Hi @1mm 
Both groups should be mapped on the SSL VPN configuration. 
If you only map Group_A to SSL, the only rules that are going to work are the ones for Group_A.

Mauricio Marin
Fortinet TAC Senior Engineer
1mm
Contributor

Thanks friends for help! 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors