I recently configured SAML for our KACE helpdesk platform as we wanted to simplify the login process with SSO through our Azure AD. We got everything working fine and encountered no real access issues at first.
However, it was noted that when trying to use SAML to login from outside the network the login process got stuck in a loop. One further exploration we determined that in order for SAML to pull from AD we had to be on VPN when outside the internal network.
I have scoured forums, blogs, posts, tutorials, youtube and have yet to find the answer to this issue. I put in a support claim with KACE and their assessment is that it's a firewall policy within fortiguard that is preventing an internal device trying to access AD for an internal system but from an external connection.
I have looked through our firewall policies and I am stumped as nothing seems to be preventing this access.
Have anyone encountered this issue before? Any idea where I can resolve this access loop?
The IdP's login page (the URL defined in set idp-single-sign-on-url), to which the authenticating client will be redirected by the SP (FortiGate), must be accessible to the client without the VPN (because they're not connected to it yet).
Double-check your FortiGuard firewall rules to ensure that the necessary ports and protocols required for SAML and AD are open for external access. Ensure that NAT settings are correctly configured to allow external devices to reach your internal network. Make sure the SAML endpoints are accessible from outside the network. Sometimes, the endpoints are configured to be intranet-only. If you're using ADFS, ensure that it's accessible from outside the network. Ensure that the certificates used for SAML are valid and accessible from outside the network. Use browser developer tools to trace the SAML requests and responses. Look for any anomalies or errors in the SAML assertions. Check the KACE logs and Azure AD logs for any errors or warnings that could provide a clue.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.