Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
159
Views
1
Helpful
3
Replies

Duo SSO - Fortinet FortiGate Admin - 1 application per firewall?

Go to solution
kmanning1
Level 1
Level 1

‎01-15-2025 10:07 AM

Hello,

I am wanting to move from local accounts with Fortitokens to domain/Duo MFA for my FortiGate firewalls. They have added the Fortinet FortiGate Admin application to the list of what can be protected. After walking through the setup and documentation I have noticed it doesn't matter whether using my on-prem AD or Azure SAML as the authenticator the protected application asks for the service provider IP and this comes from the IP on the firewall. If I have 10 different firewalls do I have to create 10 different applications? Is it not possible to have all my FortiGates point to a single protected application entry using the same identity provider links? Can a wildcard be entered? Thanks.
sso.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ccieexpert
VIP
VIP

‎01-15-2025 09:11 PM

Each fortigate is going to be a different SP from a SAML perspective, so you need to define each one in Azure...

Hope that helps

**Please rate as helpful if this was useful**

View solution in original post

3 Replies 3

Go to solution
ccieexpert
VIP
VIP

‎01-15-2025 09:11 PM

Each fortigate is going to be a different SP from a SAML perspective, so you need to define each one in Azure...

Hope that helps

**Please rate as helpful if this was useful**

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎01-17-2025 07:13 AM - edited ‎01-17-2025 07:18 AM

I think your question is actually "Do we need to create multiple Duo SSO for Fortigate applications to protect multiple firewalls?" and the answer is yes. You cannot enter a wildcard for the SP address in the Duo Admin Panel configuration for the Fortigate SSO application.

ETA: If you are using Entra ID (Azure) as the SAML authentication source for Duo SSO you do not need to define anything about your Fortigates in Azure. Duo SSO is only verifying user information in Entra ID in that configuration.

Duo, not DUO.
0 Helpful

Go to solution
ccieexpert
VIP
VIP

‎01-17-2025 11:26 PM

whether the IDP is Duo or Azure - each fortinet has to be configured in Duo or Azure depending on which one is the iDP.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents