Skip to main content
vshtaloja
Staff
vshtaloja
Staff
January 15, 2025

Technical Tip: AD FS Fields in SAML Configuration Fail to Auto-Populate After FortiGate Reboot

  • January 15, 2025
  • 0 replies
  • 541 views
Description This article provides a workaround and a solution for an issue where AD FS fields fail to auto-populate after rebooting the FortiGate, leading to VPN interruptions.
Scope FortiGate v7.2, v7.4 and 7.6
Solution

After rebooting the FortiGate, AD FS fields in the SAML configuration fail to auto-populate, resulting in disrupted VPN functionality and authentication failures for incoming client VPN connections:

 

config user saml
    edit "FortiTest"
        set cert "test_saml_certificate"
        set entity-id "https://remote.testsaml-group.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://remote.testsaml-group.com:10443/remote/saml/login/"
        set single-logout-url "https://remote.testsaml-group.com:10443/remote/saml/logout/"
        set idp-entity-id "http://fs.testsaml-group.com/adfs/services/trust"
        set idp-single-sign-on-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-single-logout-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-cert "Remote_Cert1"
        set digest-method sha1
        set adfs-claim enable
        set user-claim-type upn
        set group-claim-type group
    next
end

 

Before reboot:


beforereboot-ADFS.png

 

After reboot:


afterreboot-ADFS.png

 

This issue has been resolved in v7.4.8 and v7.6.3.

 

Workaround:

Disable and re-enable AD FS:


config user saml
    edit <name>
        unset adfs-claim
    next
end

config user saml
    edit <name>
        set adfs-claim enable
    next
end
      Terms & ConditionsAccessibility statement