Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
1mm
Contributor

Fortigate and SAML

Hello, we have fortigate, deployed in Azure. We have configured SAML for authentication/authorizations for FortiVPN. Now we are also planning delpoy another fortigates on ESXi infrastructure, where we also need to configure FortiVPN with SAML. Qsuestion is Can I have one SAML application on azure which will be mapped with both fortigates? AD groups, and policies will be the same. 

1 Solution
pminarik
Staff
Staff

Yes, you can!

The Single sign-on section for SAML method in Enterprise Applications allows you to define values for multiple Service Providers (~multiple FortiGates):

 
 

Azure AD/Entra SAML SP configurationAzure AD/Entra SAML SP configuration

The only requirement for this to properly work is that the SP (=FortiGate SSL-VPN) includes the ACS (login) URL in the AuthnRequest, so that the IdP (Azure) knows where to redirect to once done (if not included, Azure will redirect to the first/default URL configured). Fortunately, FortiGate indeed includes this value in the request, so everything should work. :)

[ corrections always welcome ]

View solution in original post

5 REPLIES 5
hbac
Staff
Staff

Hi @1mm,

 

I don't think so as Entity ID, reply URL, etc will be different between FortiGates. 

 

Regards, 

pminarik
Staff
Staff

Yes, you can!

The Single sign-on section for SAML method in Enterprise Applications allows you to define values for multiple Service Providers (~multiple FortiGates):

 
 

Azure AD/Entra SAML SP configurationAzure AD/Entra SAML SP configuration

The only requirement for this to properly work is that the SP (=FortiGate SSL-VPN) includes the ACS (login) URL in the AuthnRequest, so that the IdP (Azure) knows where to redirect to once done (if not included, Azure will redirect to the first/default URL configured). Fortunately, FortiGate indeed includes this value in the request, so everything should work. :)

[ corrections always welcome ]
1mm

Thanks for your reply,

 

But as I see Sign on URL 

you cant add 2 entries, or its not mandatory for authentication? 

pminarik

Multiple ACS/Reply URLs is sufficient for things to work.
Sign on URL can be left empty/singular (whichever option Azure allows).

[ corrections always welcome ]
1mm

Thanks for your help! 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors