Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
simonorch
Contributor

SAML with anything other than Windows and Azure?

We're doing an increasing number of SAML based vpn deployments and windows + azure works well. However, other combinations we are struggling with, for example.

 

macOS + Google workspace

windows + Google workspace varies, we see that both for mac and windows users they are authenticated but the vpn tunnel is not initiated.

chromebooks + Azure

 

this is using

fortios 6.4.7 and fct 7.0.1 or 7.0.2

 

 

What are other peoples experiences?

NSE8 Fortinet Expert partner - Norway

NSE8 Fortinet Expert partner - Norway
2 REPLIES 2
xsilver_FTNT
Staff
Staff

Hi simonorch,

some time ago I played a bit and made a SAML working on FortiAuthenticator as SP with OKTA as IdP.
I guess you found out that https://docs.fortinet.com do have some SAML related stuff.
FOS https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/736845/saml
FAC https://docs.fortinet.com/document/fortiauthenticator/6.4.3/administration-guide 

contains SAML in both Authentication and SSO.
More targeted guides are in FAC Cookbook and SAML is here https://docs.fortinet.com/document/fortiauthenticator/6.4.0/cookbook/362779/saml-authentication
With Azure (including O365), Okta, Google things and more.

But my experience is that those guides are hard to maintain, mainly because all those 3rd party elements keeps changing. And it does not matter if you do SAML, or Social logons with Facebook/Twitter etc. both keeps changing a lot.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

bpozdena_FTNT

Fortigate SSL VPN naturally also works with Google Workspace IdP. Fortigate configuration will be the same as for any other IdP. 

 

Google Workspace is a little specific in that they have used departments instead of user groups. Bellow is a sample of working config from lab. 

 

ksnip_20220509-155520.pngksnip_20220509-155851.png

 

You can also test Google's beta version of group membership.  

 

My recommendation is to first ensure that SAML authentication works in web-mode SSL VPN. Only then focus on issues with specific versions of FortiClient or client OS.

 

You might want to open a support ticket for help with further debugging of SSLVPN/SAML/FortiClient. 

HTH,
Boris
Labels
Top Kudoed Authors