Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RESSEC
New Contributor

Multiple Fortigate/VDOM SAML MFA Auth (for VPN/SSL) to the SAME Azure Tenant / directory

Hi,
We already have a SAML MFA auth between a VDOM and a Azur Tenant.
We look for configuring another VDOM SAML MFA auth to the zame Azur Tenant (Same Directory)
The SSL VPN URL is for example vdom1.xxxx.com and the 2nd is vdom2.xxxx.com

In the "Basic SAML Configuration" of the "Fortigate VPN SLL" application, we can set multiple "Identifier" en "Reply" URL, but the "Sign On" and "Logout" URL are unique. So How can we distinguish it with our second VDOM url ??

Looking for a workaround, We tried to install a second Azur application "Fortigate VPN SLL" application (wich is possible). This second application was configured with the second VDOM VPNSSL Url everywhere. Each of both application have it's own VDOM Url set.

But when we try to connect with Forticlient on the second VDOM, the MFA windows get :
'https://vdom2.xxxx.com/remote/saml/metadata/ was not found in the directory '#directoryname#'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant".

We also notice that despite creating a second application "Fortigate VPN SLL", the Login / Azure AD id / Logout URLs , are exactly the same.

So here the question :  How can we distinguish both source VDOMs in the configuration of the Azur Fortigate Application ?

There's documentation about having Fortigate SAML MFA to mutliple Azur Tenant, but we look for the reverse. Mutli Forti/VDOM to same Tenant.

Thanks.
Regards.

2 REPLIES 2
funkylicious
SuperUser
SuperUser

Hi,


Usually, each VDOM would have a different public IP accessible from the Internet, which you define in your Azure tenant/settings, unless you are doing a inter-vdom link and all traffic is exiting through VDOM1/root, in which case it will have the same public IP but a different port.

 

Can you confirm, that the SSLVPN Login portal , https://vdom2.xxxx.com/ can be accessed from the Internet and all SSLVPN settings are in place, firewall rules, etc ?

---------------------------
geek
---------------------------
---------------------------geek---------------------------
RESSEC

Thanks,
We confirm it's not in a inter-vdom link context.
All usual settings are OK. In fact, the configuration was already working with local Authentification. We have added the Cert / SAML Config / GROUP and Mapping part. 
We did this on the first VDOM : 100% ok.
We did this on the second VDOM : Error with the Forticlient connexion.

When you say "each VDOM would have a different public IP accessible from the Internet, which you define in your Azure tenant/settings" -> The Fortigate VPNSSL Application doesn't permit mutiple URL/IP in the "Identifier" en "Reply" filed of the BASIC SAML config Panel, so it's not possible to put :
https://vdom1.xxxx.com/remote/saml/login
AND
https://vdom2.xxxx.com/remote/saml/login
In the same field...


Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors