Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tonyagustin
New Contributor

Created on ‎05-06-2024 08:11 AM

FortiAuthenticator MFA - SAML

Hello.

We'd like to configure our FortiAuthenticator as SAML IdP. The first authentication factor is password from AD. We've tested several OTP options: fortitoken, sms, email, etc. and the work fine but we'd like to use another second factor: client certificate. We've used local CA or remote CA, and we've configure "certificate bindings" under user configuration, but when SAML web page is shown, it only asks for username and password, and it doesn't prompt to chose a certificate.

Anyone knows if it's possible to configure 2FA with AD password and user certificate?.

Thank you!.

Labels:
205
0 Kudos
1 Solution
lmarinovic
Staff
Staff

Created on ‎05-13-2024 06:55 AM

Hello Tony,

 

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

 

 

Best regards,

 

Lazar

 

Best regards

Lazar Marinovic

View solution in original post

95
5 REPLIES 5
Stephen_G
Moderator
Moderator

Created on ‎05-09-2024 04:17 AM

Hello tonyagustin,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
137
0 Kudos
Stephen_G
Moderator
Moderator

Created on ‎05-13-2024 06:28 AM

Hello tonyagustin,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Stephen - Fortinet Community Team
102
0 Kudos
lmarinovic
Staff
Staff

Created on ‎05-13-2024 06:55 AM

Hello Tony,

 

Unfortunately this is not supported yet. Even if you set certificate bindings on user. This currently can only work for radius. Only second factor under SAML can be:

 

 

Best regards,

 

Lazar

 

Best regards

Lazar Marinovic
96
pminarik
Staff
Staff

Created on ‎05-13-2024 06:58 AM

As far as I am aware, this is not currently supported.

Certificate-bindings are used only for EAP-TLS authentication, SAML IdP currently doesn't support client-certificate verification. You'll need a new feature request for this.

[ corrections always welcome ]
93
tonyagustin
New Contributor

Created on ‎05-14-2024 01:52 AM

Thank you all for your answers!

49
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.