Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maerre
Contributor

Created on ‎06-13-2023 02:48 AM

Saml SSO Login with Azure AD to Standby firewall fails

Hello,

 

i configured the Saml sso login access to the Fortigate following the guide:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...

my envronment is made by a cluster of 2 firewalls in active-passive mode running 7.0.10.

The login is successful to the primary and active device but i'm not able to login via sso to the standby unit.

The problem encountered is that the authentication works correctly on the shared IP address between the two firewalls (10.10.10.1) but when trying to login with SSO on the address of the single standby fw (example on 10.10.10.3) it fails to connect to the device because the SAML redirect address is the 10.10.10.1 one and thus it returns to the currently active router.
Can it be fixed (maybe if i configure two different SAML authentications on the 2 devices)?

Ot this is a know limitation?


i didn't find any answer neither on the forum or google.
thank you for your advise

Labels:
564
0 Kudos
4 REPLIES 4
vsahu
Staff
Staff

Created on ‎06-13-2023 03:53 AM Edited on ‎06-13-2023 03:54 AM

Hello Maerre,

 

You can use vdom-exception command to achieve this, Vdom mode not needed to be enabled to run this command.
The command is used for Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.

 

> First configure the HA with the reserve management interface, so Interface IP does not get sync

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/313152/out-of-band-managemen...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-FortiGate-configurations-that-will-sync...

 

>> Then Configure the vdom exception for SAML after that you should be able to configure separate  SSO, for separate interface IP 

config system vdom-exception
edit 1
set object system.saml
end


Regards,
Vishal
545
0 Kudos
Maerre
Contributor
In response to vsahu

Created on ‎06-13-2023 05:08 AM

Hello @vsahu,

at the end i still have to configure two separate SAML authentication per firewall, and two separate application on AZURE AD o i can use the working SAML?

 

thank you

532
0 Kudos
vsahu
Staff
Staff
In response to Maerre

Created on ‎06-13-2023 05:54 AM

You can configure two different entity IDs in the same SAML application on the Azure side it should work.

 

Regards,
Vishal
526
0 Kudos
Maerre
Contributor
In response to vsahu

Created on ‎06-13-2023 06:16 AM Edited on ‎06-13-2023 06:32 AM

not sure you can configure 2 entity IDs on the same SAML on fortigate based on this picture (should i manually configure first the active device and then the standby?), maybe it possibile on azure ad side.

 

SAML.jpg

521
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.