Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSO for SSL VPN Authentication with FortiGate behind NAT / without Public IP


Hi All,


I'm working with my DevOps team to create a VPN server, previously it has a dedicated public IP attached on the FortiGate and also we've configured SAML integration with Azure as IdP.

For security reason, my DevOps team decided to remove Public IP on the FortiGate and just put a load balancer ahead of FortiGate.


But what make us confuse is, how come the SSO authentication still working when the FortiGate Public IP that previously configured on the Azure SAML configuration is no longer used.

Do you have any idea? or the Azure SSO indeed can works with the devices behind NAT as long as the required parameters match



Hi there,


I hope I got this right.
If the same public IP/FQDN has been moved from FGT to LB, you still have the same public IP/FQDN in "config user saml", and LB is correctly configured to fw the saml auth request to the FGT, then this is expected to work.
Does this answer your question?


Azure doesn't talk directly back to the FortiGate, so the FortiGate doesn't even need to be publicly reachable for SAML to work.

However, the .../remote/saml/login URL must be reachable to the client attempting to connect to SSL-VPN, so that IP/FQDN (whichever you're using in the URL) by definition has to be functional if login works for you, at least from the connecting client's current location.


Maybe the old public IP is now owned by the load balancer (which naturally knows how to forward the relevant traffic to the FortiGate)? That would make the most sense to me personally.

[ corrections always welcome ]
New Contributor


Tarun Saini
Tarun Saini
Top Kudoed Authors