Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- Lacework
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Updated Google iDP SAML Fortigate Captive Portal S...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated Google iDP SAML Fortigate Captive Portal Setup Instrictions @agrakov
@agrakov Do you have clearer pictures for this article you created?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Wi-Fi-configuration-with-Google-...
I cannot see the pictures properly for the settings. As well, do you have an updated article, that allows one to do this via the GUI since 7.XX.XX allows this to be done from the GUI? Since it's all command line I'm having trouble visualizing where some of the settings go. Any Help would be greatly appreciated. I would also need to modify it for my needs. Here are my needs:
1. Instead of only SSID Interface facing users, I would like ALL Internal Interface users to be forwarded to the Google Saml iDP as the captive portal for sign in. So the captive portal would be turned on, on the internal interface
2. There would be 2 Google groups, students and staff, when staff authenticate they would be assigned a specific Secuirty profile for filtering, when Student log in they would get their own more strict Secuirty profile filter
3. Certain servers/services would have the option to completely BYPASS the captive portal and have the full access to the internet or access they need (Captive portal does not apply to them)
Any help would be greatly appreciated.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would recommend checking these article and document links
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I have it working 90%, and I switched it to a Pure Google SAML iDP setup instead of Azure. I also made my internal LAN port the Captive portal INSTEAD of the wireless-facing interface. That ALL went well, but I am still having a weird issue. I am having the same issue with the Google SAML iDP setup as I did with the Azure SAML setup. I thought it was an Azure SAML issue, but turns out it was not. Allow me to explain because maybe you have some ideas that can help me.
Once I set everything up, including the rules for the Groups and the bypass rule for Google DNS, web and Oauth, NO MATTER what site I go to, I have a certificate error on any website. This is NOT the certificate error that is related to the portal, as far as I can tell. The reason I say this is that I have an Internal DNS record set up for the Captive portal forwarding that is happening with SAML, and I am using a wildcard certificate. Basically, I have an internal DNS record that matches the SAN of the wildcard Certificate, As an example:
filter.mysystem.school A IPAddressOfInternalInterface (Captive portal DNS Record) [Not my real full DNS record for security reasons, but premise is the same]
Before I turn the captive portal on, this record has been tested, and it matches the wildcard certificate perfectly with NO complaints. it matches the SAN on the wildcard certificate, and it says everything is secure with NO warning messages from the browser (See screenshot). As soon as I turn on the Captive portal, EVERY website visited from the browser becomes insecure, and I can't bypass it. As far as I can tell, SAML is working, as it is trying to visit the sites, but EVERYTHING is marked as insecure even though the Certificate for the DNS records has been tested and is working. I am unsure as to why this is, since in my mind all my t's and i's seem to be crossed and dotted. This happened weather it was an Azure SAML or Pure Google SAML setup (We sync to both). In my mind, with the settings I have, the Google Login Oauth screen *should* become the captive portal. SAML should look at the DNS forwarder, for authentication, and immedatly forward to the Google Login screen if the user is NOT authenticated. If the user is authenticarted with google already and is a part of an Approved group, then the user should hit the Rule for that group on the fortigate and they the policy serttings and should surf at that point. But instead, I cam getting the insecure errors, even wioth the Matched SAN that was tested as working. Any ideas?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
7,824 -
FortiClient
1,557 -
5.2
801 -
FortiManager
659 -
5.4
639 -
FortiAnalyzer
502 -
6.0
416 -
FortiAP
408 -
FortiSwitch
405 -
5.6
362 -
FortiClient EMS
349 -
FortiMail
295 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
187 -
SSL-VPN
158 -
FortiNAC
152 -
IPsec
141 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiCloud Products
93 -
FortiSIEM
92 -
FortiToken
84 -
SD-WAN
79 -
Customer Service
74 -
Wireless Controller
71 -
4.0MR3
64 -
FortiAuthenticator
57 -
FortiProxy
52 -
Firewall policy
51 -
FortiEDR
49 -
FortiADC
49 -
Fortivoice
46 -
FortiDNS
41 -
High Availability
40 -
FortiExtender
39 -
VLAN
39 -
FortiSandbox
38 -
FortiGate v5.4
35 -
ZTNA
35 -
FortiSwitch v6.4
33 -
LDAP
33 -
DNS
32 -
Routing
30 -
Interface
29 -
BGP
29 -
Certificate
29 -
SAML
27 -
NAT
26 -
FortiConnect
25 -
FortiWAN
24 -
Authentication
24 -
FortiGate v5.2
23 -
RADIUS
23 -
SSO
23 -
FortiConverter
22 -
FortiLink
21 -
VDOM
20 -
Virtual IP
19 -
Web profile
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Logging
17 -
FortiMonitor
16 -
Traffic shaping
16 -
Fortigate Cloud
15 -
FortiDDoS
15 -
Application control
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
FortiCASB
12 -
OSPF
12 -
FortiManager v5.0
11 -
SSID
11 -
Static route
11 -
Web application firewall profile
11 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SNMP
10 -
Admin
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
FortiPAM
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
Automation
8 -
System settings
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Traffic shaping policy
7 -
Proxy policy
7 -
FortiCarrier
6 -
FortiCache
6 -
trunk
6 -
Packet capture
6 -
IPS signature
6 -
Security profile
6 -
Intrusion prevention
6 -
DNS filter
5 -
Users
5 -
Port policy
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
FortiDirector
4 -
FortiTester
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Fabric connector
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
Internet service database
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
FortiNDR
2 -
Application signature
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
API
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Authentication rule and scheme
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.