Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Janfi
New Contributor II

VPN - 2 SAML

Hello,

 

I want to ask you for advice. I am currently managing a FortiGate device where I am running a VPN setup. Within this VPN, I have a requirement to authenticate users against two separate Azure tenants. Both tenants are configured with FortiGate SSL VPN applications.

 

I have tested the connection, and I observed that when users are in different tenants, the authentication always attempts to validate against a single SAML provider (Users can be authenticated through one tenant, but users from the second tenant are experiencing issues. The system attempts to authenticate them through the first tenant, where they do not have access). I am looking for a solution that allows the system to attempt authentication in the second tenant if the initial SAML authentication fails.

 

I would appreciate any advice.

Jan

 

1 Solution
ndumaj

Sure, using realms you can differentiate users to connect in two different IDPs.

BR

- Happy to help, hit like and accept the solution -

View solution in original post

9 REPLIES 9
ndumaj
Staff
Staff

Hello @Janfi,

By design if the authentication fails then the connection will be terminated, and it is required to have another request.

On user LDAP or Radius you have the option to add an LDAP or Radius server as secondary or tertiary, and this will occur only if the primary node is not reachable.
However, if the authentication fails and FGT receives the response that authentication failed, will not try the other servers.
You need to initiate another login request.

BR


- Happy to help, hit like and accept the solution -
Janfi
New Contributor II

Hello @ndumaj ,

 

Thank you for the feedback. I also found this guide on SAML, but I wasn’t able to get the realms to work. I’m not sure if it’s only usable for portals or if it can also be used with FortiClient. Do you think, we can use it with realms somehow?

 

Best regards,

Jan

ndumaj

Correct using realms will send the requests to the specified IDP.

BR

- Happy to help, hit like and accept the solution -
Janfi
New Contributor II

So is it possible to do that this way?

ndumaj

Correct using Realms is a valid way to authenticate?

Again, one Realm will point to the IDP1 and the other Realm will be pointed at IDP2.
Users will have different username formats to connect.
Username: realm1/username  --> will send the request to the IDP1

username: relam2/username --> will send the request to the IDP2

This is not a real redundancy, but a manual way to connect to the IDPs

BR

- Happy to help, hit like and accept the solution -
Janfi
New Contributor II

I don't need redundancy. I just need have a way, how users can connect to different azures for authorization.

ndumaj

Sure, using realms you can differentiate users to connect in two different IDPs.

BR

- Happy to help, hit like and accept the solution -
Janfi
New Contributor II

Thank you for discussion :) I didn't know how to use realms. I found it and it works great for two samls.

ndumaj

Hello @Janfi 
Happy to share the info with you, and happy to help you.

BR

- Happy to help, hit like and accept the solution -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors