Hi,
We already have a SAML MFA auth between a VDOM and a Azur Tenant.
We look for configuring another VDOM SAML MFA auth to the zame Azur Tenant (Same Directory)
The SSL VPN URL is for example vdom1.xxxx.com and the 2nd is vdom2.xxxx.com
In the "Basic SAML Configuration" of the "Fortigate VPN SLL" application, we can set multiple "Identifier" en "Reply" URL, but the "Sign On" and "Logout" URL are unique. So How can we distinguish it with our second VDOM url ??
Looking for a workaround, We tried to install a second Azur application "Fortigate VPN SLL" application (wich is possible). This second application was configured with the second VDOM VPNSSL Url everywhere. Each of both application have it's own VDOM Url set.
But when we try to connect with Forticlient on the second VDOM, the MFA windows get :
'https://vdom2.xxxx.com/remote/saml/metadata/ was not found in the directory '#directoryname#'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant".
We also notice that despite creating a second application "Fortigate VPN SLL", the Login / Azure AD id / Logout URLs , are exactly the same.
So here the question : How can we distinguish both source VDOMs in the configuration of the Azur Fortigate Application ?
There's documentation about having Fortigate SAML MFA to mutliple Azur Tenant, but we look for the reverse. Mutli Forti/VDOM to same Tenant.
Thanks.
Regards.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Usually, each VDOM would have a different public IP accessible from the Internet, which you define in your Azure tenant/settings, unless you are doing a inter-vdom link and all traffic is exiting through VDOM1/root, in which case it will have the same public IP but a different port.
Can you confirm, that the SSLVPN Login portal , https://vdom2.xxxx.com/ can be accessed from the Internet and all SSLVPN settings are in place, firewall rules, etc ?
Created on 05-02-2024 08:02 AM Edited on 05-02-2024 08:03 AM
Thanks,
We confirm it's not in a inter-vdom link context.
All usual settings are OK. In fact, the configuration was already working with local Authentification. We have added the Cert / SAML Config / GROUP and Mapping part.
We did this on the first VDOM : 100% ok.
We did this on the second VDOM : Error with the Forticlient connexion.
When you say "each VDOM would have a different public IP accessible from the Internet, which you define in your Azure tenant/settings" -> The Fortigate VPNSSL Application doesn't permit mutiple URL/IP in the "Identifier" en "Reply" filed of the BASIC SAML config Panel, so it's not possible to put :
https://vdom1.xxxx.com/remote/saml/login
AND
https://vdom2.xxxx.com/remote/saml/login
In the same field...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.