Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BuHeTy
New Contributor

Captive portal redirection SAML

Hi All,

We've successfully setup captive portal using Azure as IDP

The problem is that the redirection is to the default fgtauth page and must click on "log in using SAML Identity Provider" to sign-in with Azure account.

Which is the way to be redirected to the saml portal?

Thanks!

 

 

 

7 REPLIES 7
rbraha
Staff
Staff

Hi @BuHeTy 

 

Are you using webmode or you have Forticlient installed there , through webmode you will need to select with the  option Single -Sign -On ,when using FortiClient you can enable the option " Enable Single Sign On (SSO) for VPN Tunnel and also Enable auto-login with Azure Active Directory .

BuHeTy
New Contributor

Hi,

We don't use Forticlient for our host in the network.

The captive portal is policy based, not interface.Till now we've used it with radius and/or FSSO collector pulling users from our active directory MS servers. 

Azure implementation works fine. Only the redirected page is the problem.

Debbie_FTNT

Hey,

usually you get the option screen (put in credentials OR click "Log in using SAML Identity Provider") if there are multiple possibilities how the user could be authenticated. If you have more than one group (one SAML, one LDAP for example) in that policy triggering the captive portal, FortiGate can't tell if the authentication should go to SAML or somewhere else, and thus offers the option to input credentials or go to SAML server.

You would have to remove any non-SAML group from the policy to ensure FortiGate redirects to SAML server immediately.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
BuHeTy

Hi @Debbie_FTNT ,

I've read this in HOW-tos and in the policy there are no other than Azure groups.

 

Debbie_FTNT

Hey @BuHeTy

do you have any other policies with groups the traffic could match into instead? And are those groups non-SAML groups?

It is possible that, as the user is not authenticated at this stage and there are multiple possible matches based on what group the user actually belongs to (which we will only know AFTER authentication) the FortiGate might consider more groups than just the SAML group in that policy.

I have never tested this in the lab, so I can't be certain; we would need to gather some debug from FortiGate to determine what groups FortiGate considers when triggering captive portal.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
BuHeTy

Great,

I'l try with a new azure group with only one member, not member of any other, and test and write.

BuHeTy
New Contributor

Nope,

Still redirects to th fgauth page. It FortiAnalyser traffic matches the policy with deny action. When I authenticate it is then allowed and authentication server is the Azure configured.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors