This feels like a simple question but I haven’t found an answer: if I’ve got Entra SSO for SSLVPN, can I use the same Entra application for both SSLVPN & admin logins? According to this guide from 2019, admin logins need a generic non-gallery application added, and according to the more recent guides that are SSLVPN specific, I’m adding the “FortiGate SSL VPN” application.
Could I use that non-gallery application for SSO since it’s still SAML & I could just create a second group to attach to it in Entra & then use that object ID for the SSLVPN access group in the firewall? Or if I have an existing FortiGate SSL VPN application, could I add a second group to it for admin logins & use it for the “config system saml” stuff?
Apologies if I’m being unclear; I’m just unsure how much of the SSLVPN Entra application is specific to SSLVPN or if that’s just how they labeled it.
You can but I wouldn’t. Since the app is tied to a Conditional access policy in Azure, I would create a second app for admins and have a different Cond Access Policy with different requirements for admins than for SSLVPN users
If i remember correctly, settings for these are in different places in the FGT but it has been a while since I have done it
Yes, you can definitely use the same app for both cases. I’ve done this before and just create different groups in Azure to reference who has admin rights and who’s a VPN user. Then you can reference the VPN users with the objectID group in the policy. It works fine!
You create one SAML user to link Entra to the SSL VPN, then create different groups and can use different IP ranges for each group or a combination of group membership and IP address in policies. The other thing you can do is MFA for Firewall Admin login that ads MFA to admin activity as well. It works really slick.