- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Set SSO session/timeout timers while using Azure A...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set SSO session/timeout timers while using Azure AD on fortigate
Hi,
previously I had fortiauthenticator which was used to manage the SSO part, currently instead it has been decommissioned and Azure AD has been implemented to do the same tasks.
I have some doubts and issues that I cannot resolve.
it seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?
in this case i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?
If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?
Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?
This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.
i'm running 7.0.10
Thanks
I couldn't find anything that could clarify these doubts.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAuthenticator v5.5
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @akanibek ,
yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).
Regarding first question ok, now it's clear.
Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i solved using the following commands and changing their default timeout:
auth-timeout
auth-timeout-type
Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:
and they worked.
I really appreciated your commitment @akanibek , thank you man!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to clarify some details.
1) Decommissioned FAC was acting as FSSO CA on Fortigate, isn't it?
2) How has the Azure AD been added to Fortigate? Could you show to us the either GUI screenshot, or cli output.
Asset
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
i followed this guide:
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
(at the moment i don't have access to the FW).
thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then,
you are using Azure SAML for SSL-VPN authentication, isn't it? Or you want to use Azure SAML authentication for passive user authentication?
Below, you will find the answers to your questions:
Q: It seems that it is not possible to census the individual user but it is necessary to put them in a specific group on the azure AD side in order to manage sso?
A: Yes, it is possible to adjust only user groups for SAML.
Q: In this case, i am wondering if it is possible to have a timeout for SSO disconnection. .
For example, if the computer is used by multiple people and therefore the OS has multiple user profiles how does this work?
A: I can not imagine such kind of usage. Could you clarfiy it again. How it is possible in case of SSL-VPN connection?
Q: If another user logs in from another profile is a second SSO authentication requested or does the session of another previously logged in user remain active (since the association is IP based only)?
Regarding the captive portal for SSO authentication: is it possible to use the same endpoint to log in with SSO from different subnets/interfaces?
This is to avoid having to create for each subnet an app on dedicated azuread with then an SSO object and SSO group for each.
A: Your questions seem to have a relation to passive authentication, isn't it?
Asset
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @akanibek ,
yes, i'm using Azure SAML for both SSL-VPN authentication and for passive user authentication (SSO).
Regarding first question ok, now it's clear.
Regarding the second question, I realized that I didn't write it correctly and it was a little bit confusing, i was talking about sso timeout for local users and not ssl-vpn users, in this case i solved using the following commands and changing their default timeout:
auth-timeout
auth-timeout-type
Regarding the third question, yes, i have a captive portal configured on two different interfaces and to avoid the warning certificate and to correctly redirect all the users on the two different interfaces i followed these guides:
and they worked.
I really appreciated your commitment @akanibek , thank you man!
Related Posts
- AP-Fail 1219 Views
- VRRP failover delay 686 Views
- SSL-VPN AzureAD MFA sign in timer 4868 Views
- Wireless AP stops authenticating clients 2418 Views
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.