Solved: Duo SSO - Fortinet FortiGate Admin - 1 application per firewall?

kmanning1 · ‎01-15-2025

Hello,

I am wanting to move from local accounts with Fortitokens to domain/Duo MFA for my FortiGate firewalls. They have added the Fortinet FortiGate Admin application to the list of what can be protected. After walking through the setup and documentation I have noticed it doesn't matter whether using my on-prem AD or Azure SAML as the authenticator the protected application asks for the service provider IP and this comes from the IP on the firewall. If I have 10 different firewalls do I have to create 10 different applications? Is it not possible to have all my FortiGates point to a single protected application entry using the same identity provider links? Can a wildcard be entered? Thanks.

ccieexpert · ‎01-15-2025

Each fortigate is going to be a different SP from a SAML perspective, so you need to define each one in Azure...

Hope that helps

**Please rate as helpful if this was useful**

View solution in original post

ccieexpert · ‎01-15-2025

Each fortigate is going to be a different SP from a SAML perspective, so you need to define each one in Azure...

Hope that helps

**Please rate as helpful if this was useful**

DuoKristina · ‎01-17-2025

I think your question is actually "Do we need to create multiple Duo SSO for Fortigate applications to protect multiple firewalls?" and the answer is yes. You cannot enter a wildcard for the SP address in the Duo Admin Panel configuration for the Fortigate SSO application.

ETA: If you are using Entra ID (Azure) as the SAML authentication source for Duo SSO you do not need to define anything about your Fortigates in Azure. Duo SSO is only verifying user information in Entra ID in that configuration.

Duo, not DUO.

ccieexpert · ‎01-17-2025

whether the IDP is Duo or Azure - each fortinet has to be configured in Duo or Azure depending on which one is the iDP.