I have configured SAML SSO for management on the root Fortigate (200F, 7.2.1) with fortigate as SP and Azure as IdP and it works fine. However, when I join downstream Fortigates (40F, 7.2.1) and leave the SSO as "Auto", it is stuck in "Pending" forever. I am assuming that this is because the root is not acting as an IdP. Wondering if it is possible for the root Fortigate to act as both SP (for azure) and IdP for downstream nodes. Any help is appreciated.
Thanks
SV
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As it is currently designed, each FortiGate can only act as either SP or an IdP, including the root.
It is not possible for a FortiGate to act as a "SAML proxy", i.e. acting as IdP towards downstream FortiGates and proxying the requests to another IdP (acting as an SP towards that IdP).
If FAC is "on the table", you could consider using its SAML proxy feature. That way all of your FortiGates would point to the FAC as their IdP, and the FAC would proxy this to Azure. But this only really makes sense if you want the FAC to actually do something useful in the flow (e.g. injecting 2FA with FortiTokens), or if there is some administrative limitation in Azure. (maybe you cannot, or don't want to, make an SP entry in Azure for each and every FortiGate? etc.)
As it is currently designed, each FortiGate can only act as either SP or an IdP, including the root.
It is not possible for a FortiGate to act as a "SAML proxy", i.e. acting as IdP towards downstream FortiGates and proxying the requests to another IdP (acting as an SP towards that IdP).
If FAC is "on the table", you could consider using its SAML proxy feature. That way all of your FortiGates would point to the FAC as their IdP, and the FAC would proxy this to Azure. But this only really makes sense if you want the FAC to actually do something useful in the flow (e.g. injecting 2FA with FortiTokens), or if there is some administrative limitation in Azure. (maybe you cannot, or don't want to, make an SP entry in Azure for each and every FortiGate? etc.)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.