Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
systemgeek
New Contributor III

Created on ‎04-25-2024 11:34 AM

Fortigate client based ssl-vpn with saml group matching

I am testing out client based ssl-vpn using SAML Auth.  When I debug saml on the fortigate I see that group that comes back from SAML is correct but I am getting added to the wrong portal. 

 

I have users group configured as per https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co... with:

config user group

edit FortiGateAccess

set member azure

config match

edit 1

set server-name azure

set group-name <object ID>

next

end

next

end

 

How does the fortigate relate the group name to the portal name?

Labels:
250
0 Kudos
1 Solution
dbu
Staff
Staff
In response to systemgeek

Created on ‎04-25-2024 12:27 PM Edited on ‎04-25-2024 12:28 PM

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

224
0 Kudos
6 REPLIES 6
systemgeek
New Contributor III

Created on ‎04-25-2024 11:41 AM

In ssl-vpn settings I see at the bottom Authentication/Portal Mapping.  So does that mean the group name from saml must match the portal name?

241
0 Kudos
dbu
Staff
Staff

Created on ‎04-25-2024 11:44 AM

Hi @systemgeek ,

I believe you need to create authentication rules  with multi-realm : 

SSL VPN multi-realm | FortiGate / FortiOS 7.4.3 | Fortinet Document Library

SSL VPN authentication | FortiGate / FortiOS 7.2.8 | Fortinet Document Library

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
240
0 Kudos
systemgeek
New Contributor III
In response to dbu

Created on ‎04-25-2024 12:02 PM

It looks like the ssl-vpn multi-realms is for setting individual login pages for different realms.

 

I want to know what connects the group attribute that SAML returns to the vpn portal.  I am pretty sure I deleted something or broke something and thats why its not working right.  Authentication Settings might be it but I am clueless on how to configure it right.

236
0 Kudos
dbu
Staff
Staff
In response to systemgeek

Created on ‎04-25-2024 12:27 PM Edited on ‎04-25-2024 12:28 PM

Multi-realm can serve also in the scenario where user is part of several groups and you want to make sure it will access the right portal based on that group membership/ 

I think you need to verify the authentication rules and check if the group is mapped to a portal. 
authportal.PNG

I believe you are not matching a group on the list and going to the default portal at the end.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
225
0 Kudos
systemgeek
New Contributor III
In response to dbu

Created on ‎04-25-2024 01:41 PM

So I do have this.  The Users/Group I have is a group of type Firewall that is connected to a remote server (the SAML server) with a list of group names....

 

OH... Wait...  I need one group of type firewall connected to saml for EACH group name that will be returned...  Then in ssl-vpn settings I link the different groups to different portals....

202
0 Kudos
dbu
Staff
Staff
In response to systemgeek

Created on ‎04-25-2024 01:52 PM Edited on ‎04-25-2024 01:53 PM

Yes you can test with two different groups and portals and see the results. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
198
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.