Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
esec
New Contributor III

Created on ‎10-12-2022 11:57 PM

Use SAML in firewall policies?

We are using SAML to Azure AD for Fortigate SSLVPN.

 

Tried using the same group for a firewall policy and we get redirected to our SAML SP, but that does a redirect back to the SSLVPN portal as configured "Sign on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/login"

 

Anyone that have used SAML in firewall policies and in that case what signon/reply URLs are you using?

 

Thanks!

Labels:
2092
0 Kudos
6 REPLIES 6
scan888
Contributor

Created on ‎10-13-2022 12:04 AM

Hi @esec

 

What do you like to achive? 

 

Would you like to use SAML User Group for internal Policy (e.g. lan1 to wan1)? 

 

Usergroups for SSLVPN SAML works only with SSLVPN. The reason behind is the callback URL from SAML.

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2084
0 Kudos
esec
New Contributor III

Created on ‎10-13-2022 12:09 AM

Hi,

 

We would like to use SAML User Group for internal policy.

 

My question is if it is possible and if it is, what reply/signon or callback URL that needs to be configured.

2082
0 Kudos
scan888
Contributor

Created on ‎10-13-2022 12:11 AM

Hi

 

You have to configure it als "Authentication Scheme" for explicit and transparent proxies.

 

Follow this documentation:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/447498/saml-authentication-in-a-prox...

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
2077
0 Kudos
srajeswaran
Staff
Staff

Created on ‎10-13-2022 12:56 AM

Hi esec,

 

Can you try below format.


set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"

set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
2075
0 Kudos
Markus_M
Staff
Staff

Created on ‎10-13-2022 01:23 AM

Hi esec,

 

I think this is actually the documentation you are looking for:

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/219787/saml-sp-for-vpn-authe...

 

As Suraj pointed out, the links are not correct. remote/saml/.... is the correct format.

Since we see it often mistaken:

The SAML configuration will require a

 

set user-name "username"
set group "group"

This part says literally:

In the SAML response we found the username VALUE in the ATTRIBUTE called "username".

In the SAML response we found the group VALUE in the ATTRIBUTE called "group".

Whatever your IdP uses as Attribute for putting the user/group into - set it here appropriately.

 

Best regards,

 

Markus

2072
0 Kudos
esec
New Contributor III

Created on ‎10-13-2022 02:38 AM

Hi,

 

it seems like that /remote/saml is for SSLVPN and for firewall authentication /saml/login according to the documentation below, I will try to test it out :)

 

Administration Guide | FortiGate / FortiOS 6.4.2 | Fortinet Documentation Library

 

Best Regards

2061
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.