Hi,
previously I had fortiauthenticator which was used to manage the SSO part, currently instead it has been decommissioned and Azure AD has been implemented to do the same tasks.
I have some doubts and issues that I cannot resolve.
it seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?
in this case i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?
If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?
Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?
This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.
i'm running 7.0.10
Thanks
I couldn't find anything that could clarify these doubts.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @akanibek ,
yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).
Regarding first question ok, now it's clear.
Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i solved using the following commands and changing their default timeout:
auth-timeout
auth-timeout-type
Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:
and they worked.
I really appreciated your commitment @akanibek , thank you man!
Hi,
I would like to clarify some details.
1) Decommissioned FAC was acting as FSSO CA on Fortigate, isn't it?
2) How has the Azure AD been added to Fortigate? Could you show to us the either GUI screenshot, or cli output.
Hello,
i followed this guide:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
(at the moment i don't have access to the FW).
thank you
Then,
you are using Azure SAML for SSL-VPN authentication, isn't it? Or you want to use Azure SAML authentication for passive user authentication?
Below, you will find the answers to your questions:
Q: It seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?
A: Yes, it is possible to adjust only user groups for SAML.
Q: In this case, i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?
A: I can not imagine such kind of usage. Could you clarfiy it again. How it is possible in case of SSL-VPN connection?
Q: If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?
Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?
This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.
A: Your questions seem to have a relation to passive authentication, isn't it?
Hello @akanibek ,
yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).
Regarding first question ok, now it's clear.
Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i solved using the following commands and changing their default timeout:
auth-timeout
auth-timeout-type
Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:
and they worked.
I really appreciated your commitment @akanibek , thank you man!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.