- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SAML SSO VPN and VLAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML SSO VPN and VLAN
Hello,
sorry for my english, i use google trad
Is it possible to have a SSL VPN with Azure SAML SSO authentication and at the same time a captive portal on a VLAN with Azure SAML SSO authentication ?
With 2 different Azure groups for authentication.
material: Fortigate 100F
Firmware: v7.0.12 build0523 (Mature)
Best regards,
Solved! Go to Solution.
1 Solution
Created on 09-11-2023 05:21 AM Edited on 09-11-2023 05:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I take it the correct URL pattern ended up being /remote/saml/..., is that right?
Some parts of the documentation seem to contradict each other here, unfortunately.
With regards to the certificate, right now this will default to using an IP for the ...:1003... URLs, for which you certainly won't be able to get a public certificate. You can customize the URL to use a specific FQDN/domain, for which you should be able to buy/obtain a certificate.
If this portal is set per-policy, the options are:
config firewall policy
edit <policy id>
set auth-cert <matching certificate for the FQDN>
set auth-redirect-addr <which FQDN to use>
end
If this configured on interface-level:
config system interface
edit <interface-with-portal>
set auth-cert <matching certificate for the FQDN>
set auth-portal-addr <which FQDN to use>
end
Don't forget to make sure that you have a DNS record configured for this FQDN, and that your clients can resolve it correctly. (it should point to the IP of the ingress/source interface)
Lastly, I'll add that this is applicable to redirects from plain HTTP (clients typically probe for portals with HTTP requests), and for loading the /remote/saml/... URLs.
Redirecting from HTTPS to a portal are impossible to do without MITM/deep SSL inspection, which would require importing your own CA to all relevant clients.
[ corrections always welcome ]
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
I followed the complete explanation of "Outbound firewall authentication with Azure AD as a SAML IdP"
but I changed the address ":1000/saml/metadata/"
So without the "REMOTE"
Now I'm trying to do what's necessary to get a certificate.
Thank you so much
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey there,
No worries about the English; technology transcends language barriers, right?
To answer your question, yes, it should be technically possible to set up both an SSL VPN and a captive portal on a VLAN, each using Azure SAML SSO for authentication. You can absolutely specify different Azure groups for authentication on each service, provided that your Fortigate 100F supports it, which it should on that firmware version.
One thing to keep in mind: while the setup should be possible, it could get a bit complex, especially when dealing with different Azure groups and ensuring that each works as intended with its corresponding service. Testing this out thoroughly would be crucial to make sure everything is smooth sailing.
I'd recommend taking a phased approach, maybe setting up one service first, verifying that it works, and then moving on to the next. That way, if anything goes wrong, it'll be easier to pinpoint where the issue lies.
Hope this helps! Would be great to hear how it goes if you decide to implement this.
Best,
Ahmad
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Connect new FortiSwitches to Fortigate through... 5 Views
- GRE tunnel issues getting to websites 21 Views
- Mac devices are not passing information... 61 Views
- Problems with SSL-VPN Certificate 170 Views
- Fortinet F80 and Cisco RV340 180 Views
Labels
-
FortiGate
7,203 -
FortiClient
1,422 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
461 -
6.0
416 -
FortiAP
377 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
177 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
High Availability
32 -
VLAN
31 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
19 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
RADIUS
13 -
SSL SSH inspection
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
OSPF
9 -
WAN optimization
9 -
4.0MR2
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
IP address management - IPAM
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Fortinet Engage Partner Program
4 -
FortiPAM
4 -
FortiCarrier
4 -
3.6
4 -
FortiTester
4 -
FortiScan
4 -
DLP sensor
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
DoS policy
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
FortiHypervisor
2 -
Authentication rule and scheme
2 -
VoIP profile
2 -
Explicit proxy
2 -
Internet Service Database
2 -
4.0MR1
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1078 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.