Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Binaire
New Contributor

SAML SSO VPN and VLAN

Hello,

sorry for my english, i use google trad

Is it possible to have a SSL VPN with Azure SAML SSO authentication and at the same time a captive portal on a VLAN with Azure SAML SSO authentication ?

With 2 different Azure groups for authentication.

 

material: Fortigate 100F
Firmware: v7.0.12 build0523 (Mature)

Best regards, 

1 Solution
pminarik

So I take it the correct URL pattern ended up being /remote/saml/..., is that right?
Some parts of the documentation seem to contradict each other here, unfortunately.

 

With regards to the certificate, right now this will default to using an IP for the ...:1003... URLs, for which you certainly won't be able to get a public certificate. You can customize the URL to use a specific FQDN/domain, for which you should be able to buy/obtain a certificate.


If this portal is set per-policy, the options are:
config firewall policy

edit <policy id>

set auth-cert <matching certificate for the FQDN>

set auth-redirect-addr <which FQDN to use>
end

 

If this configured on interface-level:
config system interface

edit <interface-with-portal>

set auth-cert <matching certificate for the FQDN>

set auth-portal-addr <which FQDN to use>
end

 

Don't forget to make sure that you have a DNS record configured for this FQDN, and that your clients can resolve it correctly. (it should point to the IP of the ingress/source interface)

 

Lastly, I'll add that this is applicable to redirects from plain HTTP (clients typically probe for portals with HTTP requests), and for loading the /remote/saml/... URLs.

Redirecting from HTTPS to a portal are impossible to do without MITM/deep SSL inspection, which would require importing your own CA to all relevant clients.

 

[ corrections always welcome ]

View solution in original post

11 REPLIES 11
Binaire

Good morning,
I followed the complete explanation of "Outbound firewall authentication with Azure AD as a SAML IdP"
but I changed the address ":1000/saml/metadata/"
So without the "REMOTE"

Now I'm trying to do what's necessary to get a certificate.

Thank you so much

qasimbashir6242
New Contributor III

Hey there,

No worries about the English; technology transcends language barriers, right?

To answer your question, yes, it should be technically possible to set up both an SSL VPN and a captive portal on a VLAN, each using Azure SAML SSO for authentication. You can absolutely specify different Azure groups for authentication on each service, provided that your Fortigate 100F supports it, which it should on that firmware version.

One thing to keep in mind: while the setup should be possible, it could get a bit complex, especially when dealing with different Azure groups and ensuring that each works as intended with its corresponding service. Testing this out thoroughly would be crucial to make sure everything is smooth sailing.

I'd recommend taking a phased approach, maybe setting up one service first, verifying that it works, and then moving on to the next. That way, if anything goes wrong, it'll be easier to pinpoint where the issue lies.

Hope this helps! Would be great to hear how it goes if you decide to implement this.

Best,
Ahmad

Labels
Top Kudoed Authors