Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
systemgeek
Contributor

Fortigate client based ssl-vpn with saml group matching

I am testing out client based ssl-vpn using SAML Auth.  When I debug saml on the fortigate I see that group that comes back from SAML is correct but I am getting added to the wrong portal. 

 

I have users group configured as per https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co... with:

config user group

edit FortiGateAccess

set member azure

config match

edit 1

set server-name azure

set group-name <object ID>

next

end

next

end

 

How does the fortigate relate the group name to the portal name?

1 Solution
dbu

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

6 REPLIES 6
systemgeek
Contributor

In ssl-vpn settings I see at the bottom Authentication/Portal Mapping.  So does that mean the group name from saml must match the portal name?

dbu
Staff
Staff

Hi @systemgeek ,

I believe you need to create authentication rules  with multi-realm : 

SSL VPN multi-realm | FortiGate / FortiOS 7.4.3 | Fortinet Document Library

SSL VPN authentication | FortiGate / FortiOS 7.2.8 | Fortinet Document Library

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
systemgeek

It looks like the ssl-vpn multi-realms is for setting individual login pages for different realms.

 

I want to know what connects the group attribute that SAML returns to the vpn portal.  I am pretty sure I deleted something or broke something and thats why its not working right.  Authentication Settings might be it but I am clueless on how to configure it right.

dbu

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
systemgeek

So I do have this.  The Users/Group I have is a group of type Firewall that is connected to a remote server (the SAML server) with a list of group names....

 

OH... Wait...  I need one group of type firewall connected to saml for EACH group name that will be returned...  Then in ssl-vpn settings I link the different groups to different portals....

dbu

Yes you can test with two different groups and portals and see the results. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors