Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
1mm
Contributor

Created on ‎11-02-2023 04:34 AM Edited on ‎02-26-2024 06:42 AM By Community Manager

Fortigate and SAML

Hello, we have fortigate, deployed in Azure. We have configured SAML for authentication/authorizations for FortiVPN. Now we are also planning delpoy another fortigates on ESXi infrastructure, where we also need to configure FortiVPN with SAML. Qsuestion is Can I have one SAML application on azure which will be mapped with both fortigates? AD groups, and policies will be the same. 

Labels:
666
1 Solution
pminarik
Staff
Staff

Created on ‎11-02-2023 06:18 AM Edited on ‎11-02-2023 06:19 AM

Yes, you can!

The Single sign-on section for SAML method in Enterprise Applications allows you to define values for multiple Service Providers (~multiple FortiGates):

 
 

Azure AD/Entra SAML SP configurationAzure AD/Entra SAML SP configuration

The only requirement for this to properly work is that the SP (=FortiGate SSL-VPN) includes the ACS (login) URL in the AuthnRequest, so that the IdP (Azure) knows where to redirect to once done (if not included, Azure will redirect to the first/default URL configured). Fortunately, FortiGate indeed includes this value in the request, so everything should work. :)

[ corrections always welcome ]

View solution in original post

637
5 REPLIES 5
hbac
Staff
Staff

Created on ‎11-02-2023 06:01 AM

Hi @1mm,

 

I don't think so as Entity ID, reply URL, etc will be different between FortiGates. 

 

Regards, 

643
0 Kudos
pminarik
Staff
Staff

Created on ‎11-02-2023 06:18 AM Edited on ‎11-02-2023 06:19 AM

Yes, you can!

The Single sign-on section for SAML method in Enterprise Applications allows you to define values for multiple Service Providers (~multiple FortiGates):

 
 

Azure AD/Entra SAML SP configurationAzure AD/Entra SAML SP configuration

The only requirement for this to properly work is that the SP (=FortiGate SSL-VPN) includes the ACS (login) URL in the AuthnRequest, so that the IdP (Azure) knows where to redirect to once done (if not included, Azure will redirect to the first/default URL configured). Fortunately, FortiGate indeed includes this value in the request, so everything should work. :)

[ corrections always welcome ]
638
1mm
Contributor
In response to pminarik

Created on ‎11-02-2023 06:20 AM

Thanks for your reply,

 

But as I see Sign on URL 

you cant add 2 entries, or its not mandatory for authentication? 

634
0 Kudos
pminarik
Staff
Staff
In response to 1mm

Created on ‎11-02-2023 06:33 AM

Multiple ACS/Reply URLs is sufficient for things to work.
Sign on URL can be left empty/singular (whichever option Azure allows).

[ corrections always welcome ]
632
1mm
Contributor
In response to pminarik

Created on ‎11-02-2023 07:00 AM

Thanks for your help! 

629
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.