Hello,
i configured the Saml sso login access to the Fortigate following the guide:
my envronment is made by a cluster of 2 firewalls in active-passive mode running 7.0.10.
The login is successful to the primary and active device but i'm not able to login via sso to the standby unit.
The problem encountered is that the authentication works correctly on the shared IP address between the two firewalls (10.10.10.1) but when trying to login with SSO on the address of the single standby fw (example on 10.10.10.3) it fails to connect to the device because the SAML redirect address is the 10.10.10.1 one and thus it returns to the currently active router.
Can it be fixed (maybe if i configure two different SAML authentications on the 2 devices)?
Ot this is a know limitation?
i didn't find any answer neither on the forum or google.
thank you for your advise
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Maerre,
You can use vdom-exception command to achieve this, Vdom mode not needed to be enabled to run this command.
The command is used for Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.
> First configure the HA with the reserve management interface, so Interface IP does not get sync
>> Then Configure the vdom exception for SAML after that you should be able to configure separate SSO, for separate interface IP
config system vdom-exception
edit 1
set object system.saml
end
Hello @vsahu,
at the end i still have to configure two separate SAML authentication per firewall, and two separate application on AZURE AD o i can use the working SAML?
thank you
You can configure two different entity IDs in the same SAML application on the Azure side it should work.
Created on 06-13-2023 06:16 AM Edited on 06-13-2023 06:32 AM
not sure you can configure 2 entity IDs on the same SAML on fortigate based on this picture (should i manually configure first the active device and then the standby?), maybe it possibile on azure ad side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1680 | |
1086 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.