Using FortiClient 7.0.8
Fortinet OS 7.2.7
Our company using FortiClient for client VPN on Windows devices. The current configuration offloads VPN authentication to internal Active Directory Domain Controllers. Our users enter their domain username and password into FortiClient, credentials are passed to Fortinet firewall; firewall then authenticates credentials against DCs and tunnel connection is established.
The client devices are hybrid AD joined.
1) Is it possible to modify the configuration so that FortiClient authenticates user credentials against Azure AD using SAML instead.
2.a) Does FortiClient provide an ‘embedded browser redirect’ UX in this proposed configuration? – or does it ‘break out’ into one of the main OS browsers (Edge, Chrome) to facilitate the sign in?
2.b) If the UX is ‘embedded browser redirect’ rather than Edge – should we expect to see issues and complications with Conditional Access ‘Require AD hybrid joined’ and ‘Require device marked as compliant’ grants? We have seen these issues arise where other client applications use, for example, WebView2 or similar under-the-hood.
3) Under the existing configuration the ‘Enable VPN before Logon’ option is enabled. This is sometimes used for troubleshooting. The credentials for establishing the VPN can be entered at the Windows login screen (so, VPN login is directly integrated to the Windows desktop interactive login). Will the new proposed configuration hinder (or require disabling) this functionality?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks
1. You need to configure SAML on FortiGate first. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authent...
2. FortiClient has embedded browser and there is an option to use external browser for SAML authentication: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/364443/using-a-browser-as-an...
3. Not sure if ‘Enable VPN before Logon’ supports SAML authentication. I suggested opening a ticket to check with the FortiClient team.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1570 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.