Using AD groups sent by SAML response from IDP to authorize users

bcieszewski · ‎03-04-2024

Hi,
So - I have my own IDP i'm testing, and I'm wondering if below scenario is possible with SSL-VPN on Fortigate.

First of all - my IDP is independent from any IAM - so I can connect to AD, Octa, Entra etc. to fetch and authenticate users. While querying for users I also can query which groups they are in. The response IDP sends looks more or less like that:

{
"result": true,
"user": {
"id": 96,
"company_id": 14,
"username": "qweqwe@qweqwe",
"status": "active",
"user_type": 0,
"immutable_id": "NjhiMzI5ZGE5ODkzZTM0MDk5YzdkOGFkNWNiOWM5NDAK",
"created_at": "2024-03-04T15:13:54.102Z",
"updated_at": "2024-03-04T15:13:54.102Z",
"email": "qweqwe@qweqwe",
"additional_details": {
"security_groups": [
"Cert Publishers",
"sf_administrators",
"sf_helpdesk"
]
},
"is_webauthn_active": false,
"webauthn_id": null
}
}

There are three entries in "Security Groups" (highlighted), Now I want the VPN to differentiate between the entries, and use appriopriate policies. For example if group sf_helpdesk is found put users on Network A, and when sf_other that put them in Network B.

Is that even a thing?

Anthony_E · ‎03-06-2024

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

ozkanaltas · ‎03-06-2024

Hello @bcieszewski ,

You can make this request come true. I think these two documents answer your question.

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/499536/ssl-vpn-with-okta-as-...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

Using AD groups sent by SAML response from IDP to authorize users

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website