Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
s3
New Contributor

Separate authentication and authorization

We have a usecase where we would like to split authentication and authorization. So a user would login to VPN via SAML which would return their email/username. I would then like to lookup their groups from our local AD which would be used in firewall policies. 

I tried to do this using FSSO but it didn't detect the logins. Would this be possible via another method?

2 REPLIES 2
rbraha
Staff
Staff

Hi @s3 

Is there any FortiAuthenticator on your environment or you have only FGT in place.

Using FAC you may configure Saml with Azure and returning these events on FAC as FSSO and than FAC forwards these events to FGT and with FSSO groups that you can define in firewall policies,

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/316341/saml-fsso-with-fortiauth...

 

In case using only FGT IDP will return username and group membership ,so the groups cannot be checked locally.

s3
New Contributor

Unfortunately we don't have FortiAuthenticator just the FGT.

Problem is our SAML provider doesn't provide all the user's groups unfortunately.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors