Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Maerre
New Contributor III

Set SSO session/timeout timers while using Azure AD on fortigate

Hi,

previously I had fortiauthenticator which was used to manage the SSO part, currently instead it has been decommissioned and Azure AD has been implemented to do the same tasks.
I have some doubts and issues that I cannot resolve.

it seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?
in this case i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?
If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?

Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?
This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.

 

i'm running 7.0.10

Thanks
I couldn't find anything that could clarify these doubts.

1 Solution
Maerre
New Contributor III

Hello @akanibek ,

 

yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).

 

Regarding first question ok, now it's clear.

 

Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i  solved using the following commands and changing their default timeout:

  • auth-timeout

  •  

    auth-timeout-type

Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-configured-with-multiple-captive...

 

https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-geo-location#bkmk_sub...

and they worked.

 

I really appreciated your commitment @akanibek , thank you man!

 

 

 

View solution in original post

4 REPLIES 4
akanibek
Staff
Staff

Hi,

I would like to clarify some details.

1) Decommissioned FAC was acting as FSSO CA on Fortigate, isn't it? 

2) How has the Azure AD been added to Fortigate? Could you show to us the either GUI screenshot, or cli output.

 

Asset
Maerre
New Contributor III

Hello,

 

i followed this guide:

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial

 

(at the moment i don't have access to the FW).

 

thank you

akanibek
Staff
Staff

Then, 

you are using Azure SAML for SSL-VPN authentication, isn't it? Or you want to use Azure SAML authentication for passive user authentication? 

 

Below, you will find the answers to your questions:

Q: It seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?

A: Yes, it is possible to adjust only user groups for SAML. 

 

Q: In this case, i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?

A: I can not imagine such kind of usage. Could you clarfiy it again. How it is possible in case of SSL-VPN connection?

 

Q: If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?

Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?

This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.

 

A: Your questions seem to have a relation to passive authentication, isn't it?

 

Asset
Maerre
New Contributor III

Hello @akanibek ,

 

yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).

 

Regarding first question ok, now it's clear.

 

Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i  solved using the following commands and changing their default timeout:

  • auth-timeout

  •  

    auth-timeout-type

Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-configured-with-multiple-captive...

 

https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-geo-location#bkmk_sub...

and they worked.

 

I really appreciated your commitment @akanibek , thank you man!

 

 

 

Labels
Top Kudoed Authors