Hello,
I want to ask you for advice. I am currently managing a FortiGate device where I am running a VPN setup. Within this VPN, I have a requirement to authenticate users against two separate Azure tenants. Both tenants are configured with FortiGate SSL VPN applications.
I have tested the connection, and I observed that when users are in different tenants, the authentication always attempts to validate against a single SAML provider (Users can be authenticated through one tenant, but users from the second tenant are experiencing issues. The system attempts to authenticate them through the first tenant, where they do not have access). I am looking for a solution that allows the system to attempt authentication in the second tenant if the initial SAML authentication fails.
I would appreciate any advice.
Jan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sure, using realms you can differentiate users to connect in two different IDPs.
BR
Hello @Janfi,
By design if the authentication fails then the connection will be terminated, and it is required to have another request.
On user LDAP or Radius you have the option to add an LDAP or Radius server as secondary or tertiary, and this will occur only if the primary node is not reachable.
However, if the authentication fails and FGT receives the response that authentication failed, will not try the other servers.
You need to initiate another login request.
BR
Correct using realms will send the requests to the specified IDP.
BR
So is it possible to do that this way?
Correct using Realms is a valid way to authenticate?
Again, one Realm will point to the IDP1 and the other Realm will be pointed at IDP2.
Users will have different username formats to connect.
Username: realm1/username --> will send the request to the IDP1
username: relam2/username --> will send the request to the IDP2
This is not a real redundancy, but a manual way to connect to the IDPs
BR
I don't need redundancy. I just need have a way, how users can connect to different azures for authorization.
Sure, using realms you can differentiate users to connect in two different IDPs.
BR
Thank you for discussion :) I didn't know how to use realms. I found it and it works great for two samls.
Hello @Janfi
Happy to share the info with you, and happy to help you.
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.