I'm working with my DevOps team to create a VPN server, previously it has a dedicated public IP attached on the FortiGate and also we've configured SAML integration with Azure as IdP.
For security reason, my DevOps team decided to remove Public IP on the FortiGate and just put a load balancer ahead of FortiGate.
But what make us confuse is, how come the SSO authentication still working when the FortiGate Public IP that previously configured on the Azure SAML configuration is no longer used.
Do you have any idea? or the Azure SSO indeed can works with the devices behind NAT as long as the required parameters match
Hi there,
I hope I got this right.
If the same public IP/FQDN has been moved from FGT to LB, you still have the same public IP/FQDN in "config user saml", and LB is correctly configured to fw the saml auth request to the FGT, then this is expected to work.
Does this answer your question?
Azure doesn't talk directly back to the FortiGate, so the FortiGate doesn't even need to be publicly reachable for SAML to work.
However, the .../remote/saml/login URL must be reachable to the client attempting to connect to SSL-VPN, so that IP/FQDN (whichever you're using in the URL) by definition has to be functional if login works for you, at least from the connecting client's current location.
Maybe the old public IP is now owned by the load balancer (which naturally knows how to forward the relevant traffic to the FortiGate)? That would make the most sense to me personally.
Relatable.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1749 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.