Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ac1
Contributor

Shared Policy Package: how to handel remote certificate and user SAML?

Dear all,

I've recently imported three FortiGate v7.2.1 on dedicated ADOM on FortiManager v7.2.1.

I follow this KB:       Technical Tip: Adding FortiGates to shared Policy ... - Fortinet Community

 

FortiGate 1 is the member I started from to make the policy package.

And all works fine, but when I try to deploy new policy there is an error in FortiManager  on FortiGate 2 and 3:

 

FortiGate 2

Post vdom failed:
error :131 - datasrc invalid. object: user saml.ssl-azure-saml:idp-cert. detail: REMOTE_Cert_3. solution: data not exist

 

FortiGate 3

Post vdom failed:
error :131 - datasrc invalid. object: user saml.ssl-azure-saml:idp-cert. detail: Remote_Cert_4. solution: data not exist

 

It seems not to exist the Remote Certificate associated on SAML user account, but I see this certificate in FortiGate and in device DB on FortiManager.

Unfortunately I noticed that it is not possible to make a dynamic object for this Remote Certificate object.

 

I also noticed that the configuration of the SAML FortiGate 2 and 3 user was overwritten at the first synchronization of the policies. I had to reconfigure the relative settings from the FortiManager CLI to restore the authentication of the VPNSSL.

 

How should I manage the Remote Certificate and the SAML user configuration if I have a shared policy package within the same ADOM?
What other actions can I take to investigate the problem further?

 

thanks

ac1

1 Solution
ac1
Contributor

I solved by importing the certificates on FortiManager using the setting for "Per-Device" so as to obtain 3 different configurations for each device related to the SAML user.

View solution in original post

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello ac1,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello ac1,

 

Could you please have a look into this document please?:

 

https://docs.fortinet.com/document/fortimanager/6.2.1/administration-guide/981386/saml-admin-authent...

 

Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi ac1,

 

you can try to import the certificate by FortiManager CLI and give this a distinct name as in not REMOTE_CERT_1 or what the default is, but something like "SAML_Remote_Cert". Writing and overwriting even should work.

IF there is a problem finding that number _3 etc, check the command set on the FortiGate directly.

config user saml

edit saml_server_name

set idp_cert ? (question mark to show what the available datasource entries are)

 

Best regards,

 

Markus

ac1
Contributor

I solved by importing the certificates on FortiManager using the setting for "Per-Device" so as to obtain 3 different configurations for each device related to the SAML user.