Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gsommariva
New Contributor II

Created on ‎02-27-2025 12:25 AM

VPN SSL: have both LDAP Authenticaton and Azure SAML Authentication

hello,

 

On a Fortinet vdom I need to migrate current SSL VPN with LDAP Auth to Azure SAML Auth.

There are LDAP Auth UserGruups, every UserGroup is mapped to a single VPN SSL Portal.

What I need to achieve is to set up Azure SAML Auth and map new User Groups to the same VPN Portals.

 

UserGroup-1-LDAP -> Portal-VPN-SSL-1
UserGroup-1-SAML-AZURE -> Portal-VPN-SSL-1

 

Is it possible without compromise or modify actual VPN SSL Portal configuration?

 

Thanks a lot,

 

Graziano

 

Labels:
242
0 Kudos
2 Solutions
funkylicious
SuperUser
SuperUser

Created on ‎02-27-2025 07:07 AM Edited on ‎02-27-2025 07:08 AM

Hi, 

Basically, yes.

You can use the same SSLVPN Portal, which by the way only has settings in regards to which IP Pool to get an IP assigned to the user, if it's split or full tunnel and other settings like that.


After you configure the SAML, config user saml , you then need to assign it to a User Group.

It has to be a different User Group from that in which you have LDAP configured ( you cannot have 2 remote auth servers in the same one, as far as I know or you cant have 2 of the same remote auth in the same user group ) .

Then, you would need to add the user group in SSLVPN settings to a portal, then configure the firewall rules with this new user group.

Just to make sure that when a user tries to login it uses the correct auth method, SAML and not LDAP, i would also create a separate realm and define that realm alongside the User group and portal in the settings.

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
213
gsommariva
New Contributor II
In response to funkylicious

Created on ‎02-27-2025 07:12 AM

Yes, i will setup a Realm for SAML auth.

 

Thanks a lot.

 

Graziano

View solution in original post

205
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎02-27-2025 07:07 AM Edited on ‎02-27-2025 07:08 AM

Hi, 

Basically, yes.

You can use the same SSLVPN Portal, which by the way only has settings in regards to which IP Pool to get an IP assigned to the user, if it's split or full tunnel and other settings like that.


After you configure the SAML, config user saml , you then need to assign it to a User Group.

It has to be a different User Group from that in which you have LDAP configured ( you cannot have 2 remote auth servers in the same one, as far as I know or you cant have 2 of the same remote auth in the same user group ) .

Then, you would need to add the user group in SSLVPN settings to a portal, then configure the firewall rules with this new user group.

Just to make sure that when a user tries to login it uses the correct auth method, SAML and not LDAP, i would also create a separate realm and define that realm alongside the User group and portal in the settings.

"jack of all trades, master of none"
"jack of all trades, master of none"
214
gsommariva
New Contributor II
In response to funkylicious

Created on ‎02-27-2025 07:12 AM

Yes, i will setup a Realm for SAML auth.

 

Thanks a lot.

 

Graziano

206
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.