In this example, users are managed through Microsoft Azure Active Directory (AD). The FortiGate is configured for SSO firewall authentication for outbound traffic, with authentication performed by the Azure AD as a SAML identity provider (IdP).
The SAML interaction occurs as follows:
- The user initiates web traffic to the internet.
- The FortiGate redirects to the local captive portal, then redirects the user to the SAML IdP.
- The user connects to the Microsoft log in page for the SAML authentication request.
- The SAML IdP sends the SAML assertion containing the user and group.
- The browser forwards the SAML assertion to the SAML SP.
- If the user and group are allowed by the FortiGate, the user is allowed to access the internet.
In this example environment, a user is added in the Azure AD belonging to the security group called Firewall.
- Username: John Locus
- User login: firstname.lastname@example.org
- Group: Firewall (ID 62b699ce-4f80-48c0-846e-c1dfde2dc667)
The goal is to allow users in the Firewall group to access the internet after passing firewall authentication.