- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate client based ssl-vpn with saml group matching
I am testing out client based ssl-vpn using SAML Auth. When I debug saml on the fortigate I see that group that comes back from SAML is correct but I am getting added to the wrong portal.
I have users group configured as per https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co... with:
config user group
edit FortiGateAccess
set member azure
config match
edit 1
set server-name azure
set group-name <object ID>
next
end
next
end
How does the fortigate relate the group name to the portal name?
Solved! Go to Solution.
- Labels:
-
FortiGate
Created on ‎04-25-2024 12:27 PM Edited on ‎04-25-2024 12:28 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/
I think you need to verify the authentication rules and check if the group is mapped to a portal.
I believe you are not matching a group on the list and going to the default portal at the end.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In ssl-vpn settings I see at the bottom Authentication/Portal Mapping. So does that mean the group name from saml must match the portal name?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @systemgeek ,
I believe you need to create authentication rules with multi-realm :
SSL VPN multi-realm | FortiGate / FortiOS 7.4.3 | Fortinet Document Library
SSL VPN authentication | FortiGate / FortiOS 7.2.8 | Fortinet Document Library
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the ssl-vpn multi-realms is for setting individual login pages for different realms.
I want to know what connects the group attribute that SAML returns to the vpn portal. I am pretty sure I deleted something or broke something and thats why its not working right. Authentication Settings might be it but I am clueless on how to configure it right.
Created on ‎04-25-2024 12:27 PM Edited on ‎04-25-2024 12:28 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/
I think you need to verify the authentication rules and check if the group is mapped to a portal.
I believe you are not matching a group on the list and going to the default portal at the end.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I do have this. The Users/Group I have is a group of type Firewall that is connected to a remote server (the SAML server) with a list of group names....
OH... Wait... I need one group of type firewall connected to saml for EACH group name that will be returned... Then in ssl-vpn settings I link the different groups to different portals....
Created on ‎04-25-2024 01:52 PM Edited on ‎04-25-2024 01:53 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can test with two different groups and portals and see the results.
If you have found a solution, please like and accept it to make it easily accessible for others.
