Hello,
sorry for my english, i use google trad
Is it possible to have a SSL VPN with Azure SAML SSO authentication and at the same time a captive portal on a VLAN with Azure SAML SSO authentication ?
With 2 different Azure groups for authentication.
material: Fortigate 100F
Firmware: v7.0.12 build0523 (Mature)
Best regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 09-11-2023 05:21 AM Edited on 09-11-2023 05:23 AM
So I take it the correct URL pattern ended up being /remote/saml/..., is that right?
Some parts of the documentation seem to contradict each other here, unfortunately.
With regards to the certificate, right now this will default to using an IP for the ...:1003... URLs, for which you certainly won't be able to get a public certificate. You can customize the URL to use a specific FQDN/domain, for which you should be able to buy/obtain a certificate.
If this portal is set per-policy, the options are:
config firewall policy
edit <policy id>
set auth-cert <matching certificate for the FQDN>
set auth-redirect-addr <which FQDN to use>
end
If this configured on interface-level:
config system interface
edit <interface-with-portal>
set auth-cert <matching certificate for the FQDN>
set auth-portal-addr <which FQDN to use>
end
Don't forget to make sure that you have a DNS record configured for this FQDN, and that your clients can resolve it correctly. (it should point to the IP of the ingress/source interface)
Lastly, I'll add that this is applicable to redirects from plain HTTP (clients typically probe for portals with HTTP requests), and for loading the /remote/saml/... URLs.
Redirecting from HTTPS to a portal are impossible to do without MITM/deep SSL inspection, which would require importing your own CA to all relevant clients.
Good morning,
I followed the complete explanation of "Outbound firewall authentication with Azure AD as a SAML IdP"
but I changed the address ":1000/saml/metadata/"
So without the "REMOTE"
Now I'm trying to do what's necessary to get a certificate.
Thank you so much
Hey there,
No worries about the English; technology transcends language barriers, right?
To answer your question, yes, it should be technically possible to set up both an SSL VPN and a captive portal on a VLAN, each using Azure SAML SSO for authentication. You can absolutely specify different Azure groups for authentication on each service, provided that your Fortigate 100F supports it, which it should on that firmware version.
One thing to keep in mind: while the setup should be possible, it could get a bit complex, especially when dealing with different Azure groups and ensuring that each works as intended with its corresponding service. Testing this out thoroughly would be crucial to make sure everything is smooth sailing.
I'd recommend taking a phased approach, maybe setting up one service first, verifying that it works, and then moving on to the next. That way, if anything goes wrong, it'll be easier to pinpoint where the issue lies.
Hope this helps! Would be great to hear how it goes if you decide to implement this.
Best,
Ahmad
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.