I am testing out client based ssl-vpn using SAML Auth. When I debug saml on the fortigate I see that group that comes back from SAML is correct but I am getting added to the wrong portal.
I have users group configured as per https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co... with:
config user group
edit FortiGateAccess
set member azure
config match
edit 1
set server-name azure
set group-name <object ID>
next
end
next
end
How does the fortigate relate the group name to the portal name?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/
I think you need to verify the authentication rules and check if the group is mapped to a portal.
I believe you are not matching a group on the list and going to the default portal at the end.
In ssl-vpn settings I see at the bottom Authentication/Portal Mapping. So does that mean the group name from saml must match the portal name?
Hi @systemgeek ,
I believe you need to create authentication rules with multi-realm :
SSL VPN multi-realm | FortiGate / FortiOS 7.4.3 | Fortinet Document Library
SSL VPN authentication | FortiGate / FortiOS 7.2.8 | Fortinet Document Library
It looks like the ssl-vpn multi-realms is for setting individual login pages for different realms.
I want to know what connects the group attribute that SAML returns to the vpn portal. I am pretty sure I deleted something or broke something and thats why its not working right. Authentication Settings might be it but I am clueless on how to configure it right.
Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/
I think you need to verify the authentication rules and check if the group is mapped to a portal.
I believe you are not matching a group on the list and going to the default portal at the end.
So I do have this. The Users/Group I have is a group of type Firewall that is connected to a remote server (the SAML server) with a list of group names....
OH... Wait... I need one group of type firewall connected to saml for EACH group name that will be returned... Then in ssl-vpn settings I link the different groups to different portals....
Yes you can test with two different groups and portals and see the results.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.