- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up FortiGate Web Authentication and SAML as idP
Hi,
I am trying to set up FortiGate Web Authentication and SAML as idP but I am having issues, I am following this guide https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/33053
I have setup but the authentication portal is not kicking in, I have seen that on the Fortigate in the Interface, you can enable Security Mode "Capture Portal", does this need enabling as not mentioned in the guide?
Overview of what I have done.
1. Created Enterprise App in Entra ID.
2. Created a group in Entra ID added users and assigned to App.
3. Created a Single Sign-on on the FortiGate pointing to the Enterprise App.
4. Create a group on the FortiGate and set the Remote Server to Fortigate the Single-Sign-on and the Enterprise App group ID.
5. Created a Firewall rule to allow traffic out and added the Fortigate group created in step 4.
6. Create a Firewall rule to allow traffic in.
When I test from a client PC or the Enterprise App I get 2This site can't be reached."
I feel as if port 1003 is not enabled or working, do I need to allow this port or another step to enable Capture Port?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello julianhaines,
First of all, you do not need a rule to allow traffic in for SAML authentication.
Please run a saml debug on the FortiGate to see if you get any output.?
Also, please enable captive portal with IP 0.0.0.0 under authentication settings and try that way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can use following useful KB article to capture traffic:
You can sniff with port number in question :
e.g.
diag sniff pack any "host x.x.x.x and port 1003" 4 0 l (where x.x.x.x is the destination or source ip in question) or you can just sniff with port number like: diag sniff pack any "port 1003" 4 0 l
Also a KB article:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello julianhaines,
First of all, you do not need a rule to allow traffic in for SAML authentication.
Please run a saml debug on the FortiGate to see if you get any output.?
Also, please enable captive portal with IP 0.0.0.0 under authentication settings and try that way.