Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
s3
New Contributor

Created on ‎03-29-2024 01:02 AM

Separate authentication and authorization

We have a usecase where we would like to split authentication and authorization. So a user would login to VPN via SAML which would return their email/username. I would then like to lookup their groups from our local AD which would be used in firewall policies. 

I tried to do this using FSSO but it didn't detect the logins. Would this be possible via another method?

Labels:
559
0 Kudos
2 REPLIES 2
rbraha
Staff
Staff

Created on ‎03-29-2024 04:45 AM

Hi @s3 

Is there any FortiAuthenticator on your environment or you have only FGT in place.

Using FAC you may configure Saml with Azure and returning these events on FAC as FSSO and than FAC forwards these events to FGT and with FSSO groups that you can define in firewall policies,

https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/316341/saml-fsso-with-fortiauth...

 

In case using only FGT IDP will return username and group membership ,so the groups cannot be checked locally.

529
s3
New Contributor
In response to rbraha

Created on ‎04-01-2024 06:11 AM

Unfortunately we don't have FortiAuthenticator just the FGT.

Problem is our SAML provider doesn't provide all the user's groups unfortunately.

461
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.