- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN - 2 SAML
Hello,
I want to ask you for advice. I am currently managing a FortiGate device where I am running a VPN setup. Within this VPN, I have a requirement to authenticate users against two separate Azure tenants. Both tenants are configured with FortiGate SSL VPN applications.
I have tested the connection, and I observed that when users are in different tenants, the authentication always attempts to validate against a single SAML provider (Users can be authenticated through one tenant, but users from the second tenant are experiencing issues. The system attempts to authenticate them through the first tenant, where they do not have access). I am looking for a solution that allows the system to attempt authentication in the second tenant if the initial SAML authentication fails.
I would appreciate any advice.
Jan
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, using realms you can differentiate users to connect in two different IDPs.
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Janfi,
By design if the authentication fails then the connection will be terminated, and it is required to have another request.
On user LDAP or Radius you have the option to add an LDAP or Radius server as secondary or tertiary, and this will occur only if the primary node is not reachable.
However, if the authentication fails and FGT receives the response that authentication failed, will not try the other servers.
You need to initiate another login request.
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct using realms will send the requests to the specified IDP.
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is it possible to do that this way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct using Realms is a valid way to authenticate?
Again, one Realm will point to the IDP1 and the other Realm will be pointed at IDP2.
Users will have different username formats to connect.
Username: realm1/username --> will send the request to the IDP1
username: relam2/username --> will send the request to the IDP2
This is not a real redundancy, but a manual way to connect to the IDPs
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't need redundancy. I just need have a way, how users can connect to different azures for authorization.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, using realms you can differentiate users to connect in two different IDPs.
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for discussion :) I didn't know how to use realms. I found it and it works great for two samls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Janfi
Happy to share the info with you, and happy to help you.
BR