SSL VPN Connection to FortiGate using Azure AD
This is a very nice feature, especially for Office 365 customers, which will enable SAML authentication with MFA using Microsoft Azure AD as the IDP server.
Traditionally to authenticate VPN users customers would use LDAP or Radius. Radius was required if you needed to provide different levels of access to different groups of users. And would be handled by having the Radius server return a Vendor-specific attribute that matched the name of a group defined on the Fortigate.
But what if you want to authenticate against Azure AD, and make use of Multi-factor Authentication, you can do so, by providing Role based access to users with full access to Azure AD MFA as well as Conditional Access policies.
There are other solutions that make use of radius, and an add-on for Network Policy Server, but these solutions have limitations regarding authentication methods and returning vendor-specific attributes for role-based access.
Benefits of using Azure AD as an IDP provider:
Simplicity: Using one identity and password for your access to the company applications.
Security: Accessing company VPN with MFA enhances the security access in your company.
Cost saving: instead of purchasing another solution for MFA or SAML, the customer utilizes Azure AD, which is provided for free with an office365 subscription.
Control: Using Azure AD, administrators can control users' access, and easily configure policies to give different privileges to multiple users.
Muti-vendor support: This feature can work with many vendors that provide SSL VPN features, like Fortinet, PaloAlto, Cisco, etc....
If you are interested, please reach out to us at: firstname.lastname@example.org