Hey Gang,
I'm not really sure what the right terminology is for this but I expect its a pretty common request. We've created a few special groups in LDAP and dropped users into those various groups. Based on the user's group membership, we want to send a single relevant role back to the SP when the user logs in via SAML. FAC pulls the user groups from LDAP just fine for all our other use cases but we've never had to restrict down which groups are provided in auth responses, and we're not sure if the LDAP group being directly provided to the SP is best practice. Right now when we chose LDAP group as role, the response sent to the SP is all groups a user is a member of which doesn't work for our purposes, nor does it seem secure/private to provide all that irrelevant info.
Are there any best practice guides floating around for this sort of use case?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @80211WiGuy
You can achieve this by configuring CN of the Group on FGT and on FAC side you can configure as assertion attribute Ldap group membership.
Created on 02-07-2024 09:18 AM Edited on 02-07-2024 09:18 AM
Hi RB,
Sorry, I dont understand why the FGT is involved here. We are trying to solve a FAC SAML IdP and Service Provider authentication issue. The user would not even be behind a FGT if they were trying to authenticate to the Service Provider from home.
Hi 80211WiGuy,
if the requirement is to send a single relevant role back to the SP then you might check the option of using attributes from a remote RADIUS server.
FortiAuthenticator can include attributes returned by the remote RADIUS servers into assertions returned by the SAML IdP.
There is a new option in the GUI to configure a SAML assertion containing the value of a RADIUS attribute:
A new RADIUS attribute user attribute is available when you create an assertion attribute for a SAML service provider in Authentication > SAML IdP > Service Providers.
Description in the Service Providers tab:
https://docs.fortinet.com/document/fortiauthenticator/6.6.0/administration-guide/19212/service-
SAML Attribute:
Remote RADIUS server:
RADIUS attribute
When RADIUS attribute is selected as the User attribute, the following additional settings are available in the Create New Assertion Attribute dialog:
Vendor: The RADIUS vendor name.
Attribute ID: The attribute within the vendor's RADIUS dictionary.
Regards
Thanks Sx11, we'll assess if this is a possibility.
Hi Sx11, is there a way to use the RADIUS server built into FAC for this?
Hi 80211WiGuy, this will work only with an integration with a remote Radius server.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.