Skip to main content
kiri
Staff & Editor
kiri
Staff & Editor
August 16, 2019

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP

  • August 16, 2019
  • 0 replies
  • 341335 views

Description

 

This article describes how to configure FortiGate administrator login using SAML Single Sign-On (SSO) with Microsoft Entra ID acting as the SAML Identity Provider (IdP).

 

Scope

 

  • FortiGate running FortiOS v7.2/v7.4/v7.6 (administrator SAML SSO is supported in these releases; the feature was originally introduced in FortiOS v6.2).
  • Microsoft Entra ID (formerly Azure Active Directory) as SAML IdP.
  • Note: FortiGate admin SAML SSO configuration is not available in FortiManager (configure on the FortiGate).

 

Solution

 

Prerequisites/best practices:

  • Have a working local 'break-glass' administrator (super_admin) with a known password and (ideally) Trusted Hosts set.
  • Ensure FortiGate time is synchronized (NTP). Time skew can cause SAML response validation failures.
  • Use a reachable SP address (prefer FQDN). All SAML redirects will use this address.
  • Before forcing SAML for all logins, keep the default login page as Normal so local login remains available during testing.

 

Terminology mapping:

Use the following field mapping when copying values between FortiGate and Entra ID:

 

FortiGate GUI

Microsoft Entra ID

IdP entity ID

Entra ID Identifier

IdP single sign-on URL

Login URL

IdP single logout URL

Logout URL

SP entity ID

Identifier (Entity ID)

SP ACS (login) URL

Reply URL (Assertion Consumer Service URL)

SP SLS (logout) URL

Logout URL

SP portal URL

Sign on URL

 

The only mandatory SAML attribute is username, interpreted as the FortiGate administrator username/account name.

 

Step-by-step configuration:

Configure the Enterprise Application in Entra ID:

  1. Create an Enterprise application in Entra ID (a gallery app, such as 'FortiGate SSL VPN' or a custom/non-gallery app is acceptable for SAML).

 

ramirezc_26-1769040343101.png

 

  1. Open the newly created application -> Single sign-on -> SAML.
                                                    

ramirezc_27-1769040343114.png

 

  1. In SAML Certificates, download the signing certificate (Base64).

 

ramirezc_28-1769040343125.png

 

  1. In the SAML configuration page, copy the three IdP values for later use: Identifier (Entity ID), Login URL, and Logout URL from FortiGate.
  • (SP Entity ID): This serves as a unique identifier for the Logto service, acting as the EntityId for the SP during authentication requests to the IdP. This identifier is crucial for the secure transfer of SAML assertions and other authentication-related information between the IdP and Logto.
  • ACS URL: The Assertion Consumer Service (ACS) URL refers to the endpoint where the SAML assertion is transmitted via a POST request. This URL is utilized by the Identity Provider (IdP) to deliver the SAML assertion to Logto. The (ACS) serves as a callback URL, where Logto anticipates receiving and processing the SAML response that includes the user's identity details.

 

Import the Entra ID signing certificate into FortiGate:

  1. On FortiGate, import the Entra ID SAML certificate as a Remote Certificate: System -> Certificates -> Import -> Remote Certificate.

 

  1. Optional: rename the imported certificate to something meaningful (example below).

 

config vpn certificate remote
    rename REMOTE_Cert_1 to Entra_SAML
end

 

ramirezc_29-1769040343136.png

 

Configure SAML SSO on FortiGate (admin login):

This feature does not exist under FortiManager.

 

GUI location (FortiOS v7.2/v7.4/v7.6):

Security Fabric -> Fabric Connectors -> Security Fabric Setup (open the card/select it) -> SAML Single Sign-On Settings.

 

ramirezc_30-1769040343147.png

 

Note: Some builds will show 'Security Fabric Settings' instead of 'Security Fabric Setup', but that is still under Security Fabric → Fabric Connectors.

  • FortiOS v6.2: User & Device -> SAML SSO.
  • FortiOS v6.2.3+: Security Fabric -> Settings -> (enable) SAML Single Sign-On -> Advanced Options.
  • FortiOS v6.4+: Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings.

 

CLI SAML configuration examples (based on the installed FortiOS version):

FortiOS v7.0.x and above :

 

config system saml
    set status enable
    set role service-provider
    set default-login-page normal
    set default-profile "super_admin"
    set binding-protocol redirect
    set entity-id "https://<SP_FQDN>/metadata/"
    set idp-entity-id "<ENTRA_IDENTIFIER_ENTITY_ID>"
    set idp-single-sign-on-url "<ENTRA_LOGIN_URL>"
    set idp-single-logout-url "<ENTRA_LOGOUT_URL>"
    set idp-cert "Entra_SAML"        # remote cert name
    set server-address "<SP_FQDN_OR_IP>"
end

 

Key FortiGate settings:

SP address: The Identity Provider will dispatch a SAM authentication request to this address. It must be accessible via WAN and can either be an IP address or a Fully Qualified Domain Name (FQDN). To specify a port, it must be added after a colon. For instance: 201.0.0.0:10443.

This port is the Admin GUI port, which is defined via this configuration:


config sys global

    set admin-sport 10443

end

Entity ID: The unique identifier of the Service Provider (FortiGate) presented to the IdP. In Entra ID, this maps to Identifier (Entity ID). Must match exactly on both sides; if that changes, the IdP will treat that as a different application.

 

Assertion consumer service URL: The callback/return URL where the IdP posts the SAML response after authentication. In Entra ID, this maps to Reply URL (ACS).

 

Must be reachable and exact (scheme/host/port/path); otherwise, URL reply mismatch errors or similar will be seen.

 

Single logout service: The endpoint FortiGate uses for SAML logout (single sign-out) flows.

In Entra ID, this maps to the Logout URL (when setting up SLO).

 

Note: Many environments do not rely heavily on SAML SLO; if configured, the URL still must match exactly.

 

IdP entity ID: The unique identifier for the Identity Provider (who is authenticating users). That comes from the IdP’s SAML metadata.

 

Entra mapping: Identifier (Entity ID) (the IdP’s identifier).

 

Must match exactly, or FortiGate may reject the SAML response as coming from an unexpected IdP.

 

ramirezc_31-1769040343152.png

 

Complete the SAML configuration in Entra ID:

  1. Back in Entra -> Single sign-on (SAML) -> Basic SAML Configuration, set fields using the SP Details copied from FortiGate: Identifier (Entity ID), Reply URL (ACS), Sign on URL (portal URL), Logout URL (SLS).
  2. User Attributes & Claims: add a claim named username (no namespace) mapped to an attribute that matches the FortiGate admin username (commonly user.userprincipalname). Remove unused claims if desired.

Name: username.
Namespace: Leave blank.
Source: Attribute.


Source attribute: user.userprincipalname (The value of this attribute must match the username the administrator will be using to log in).

Note: The FortiGate will expect to receive the username of the administrator in the 'username' attribute. Entra ID does not send an attribute with this name by default.

 

ramirezc_32-1769040343155.png

 

  1. Access control: In the enterprise app properties, decide whether 'User assignment required' is enabled and assign the required users/groups.

 

ramirezc_33-1769040343180.png

 

ramirezc_34-1769040343186.png

 

ramirezc_35-1769040343191.png

 

Access authorization: Several options control access to a SAML SP (FortiGate) on the Azure side. Switch to the Properties section of the SAML application in Azure.


'Enabled for users to sign-in': When set to 'No', access is completely disabled for everyone.
'User assignment required': When set to 'Yes', only users/groups configured in the section 'Users and groups' are allowed access. When set to 'No', any valid user from this directory is allowed to use this SAML SP and authenticate to the FortiGate admin GUI. 

 

Right now, there are no options to configure SAML SSO-admin authentication per VDOM. As a workaround, these steps could be performed (if it fits):

  • If possible, set FortiGate's SSO URL to an FQDN and use DNS to point to different VDOMs' IP addresses to make some users hit the FortiGate with different IPs using the same FQDN.
  • Add VDOM to the user's VDOM list (not ideal if permission is a problem).
  • Change the SSO URL to the VDOM's IP that' is needed.

 

If there is a requirement to bind admin users to the Entra ID accounts and provide access to the specific VDOM, then follow these steps:

RADIUS authentication with Microsoft Entra ID

Technical Tip: Radius administrator authentication with multiple VDOM

 

Validation:

  • Open the FortiGate GUI login page. If the default login page is Normal, select the SAML/SSO option.
  • Authenticate in Entra ID. After successful login, confirm the FortiGate administrator account is created/recognized and has the expected admin profile.
  • If the admin_no_access profile is used as the default profile, assign an appropriate admin profile after the first login.

 

Default admin profile:

This option controls which admin profile is assigned to newly created SAML SSO administrators.

 

There is a special virtual profile available for a selection called 'admin_no_access'. This profile blocks access to the FortiGate GUI until a different administrator assigns a real profile to this administrator (useful for first-time logins; decide for the first time what profile to assign to a new administrator before allowing them in).

IdP settings.
IdP type: Custom.
IdP certificate: Select the certificate imported in step 4.
The last three options should be filled with values saved in step 3.
IdP entity ID: Entra ID Identifier.
IdP single sign-on URL: Login URL.
IdP single logout URL: Logout URL.

 

Recovery:

If SAML is set as the default login and SAML is not functional, access to local login from the GUI may be lost.  

 

Troubleshooting.

 

Debug commands:

Enable debugging:

 

diagnose debug application httpsd -1
diagnose debug application samld -1
diagnose debug application eap_proxy -1
diagnose debug application http_authd -1 <----- Available in 7.6.4.
diagnose debug console timestamp enable
diagnose debug enable

 

Disable debugging:

 

diagnose debug disable
diagnose debug reset

 

Logs:

 

The SAML request message sent from the FortiGate SP to the Azure IdP is visible in the '**** Auth Req URL ****' section:

2019-08-14 10:04:49 [httpsd 8170 - 1565769889     info] ap_invoke_handler[569] -- new request (handler='saml-sp-login-handler', uri='/saml/login/', method='GET')

2019-08-14 10:04:49 [httpsd 8170 - 1565769889     info] ap_invoke_handler[573] -- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

2019-08-14 10:04:49 [httpsd 8170 - 1565769889     info] ap_invoke_handler[576] -- Source: 10.5.63.254:58486 Destination: 10.5.60.60:443

__update_sp_sig_opt [251]: SP no sig is required.

__samld_sp_create_auth_req [381]:

**** Auth Req URL ****

https://login.microsoftonline.com/<tenant-ID>/saml2?SAMLRequest=<-###SAML-REQUEST-HERE-###>&RelayState=%2Fng

The SAML Request value contains the URL-encoded version of the request. If it is decoded, it will give the base64 encoded version of the request message, which can be further decoded and inflated to show the actual XML content of the request message.


Similarly, the IdP response forwarded from the IdP back to the FortiGate SP is visible in the following section:

2019-08-14 10:05:06 [httpsd 8170 - 1565769906     info] ap_invoke_handler[569] -- new request (handler='saml-sp-handler', uri='/saml/', method='POST')
2019-08-14 10:05:06 [httpsd 8170 - 1565769906     info] ap_invoke_handler[573] -- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
2019-08-14 10:05:06 [httpsd 8170 - 1565769906     info] ap_invoke_handler[576] -- Source: 10.5.63.254:58504 Destination: 10.5.60.60:443
__samld_sp_login_resp [723]:
Message Body
<###-base64-encoded-message-###>  <-----

 

Common errors and fixes:

  • Username is missing in SAML assertion attributes: add the username claim in Entra (User Attributes & Claims).

Fix: SAML assertion attributes are misconfigured and do not contain the 'username' attribute/claim. 

 

ramirezc_36-1769040343192.png

 

  • AADSTS700016 (Application not found): SP entity ID mismatch between FortiGate and Entra; copy the SP entity ID from FortiGate SP Details and set it as Identifier (Entity ID) in Entra.  

 

Fix: Verify what the currently configured SP entity ID is on the FortiGate, and then make sure the same value is set in Azure.

 

ramirezc_37-1769040343195.png

 

  • Response validation failed/SAML Response rejected: verify IdP certificate selection, verify IdP entity ID, and confirm FortiGate and Entra time are in sync.

 

ramirezc_38-1769040343195.png

 

Fix 1: This may be caused by selecting an incorrect IdP certificate in the FortiGate configuration. Make sure that matches the certificate used in Entra.

Fix 2: This may also be due to an incorrect IdP entity ID in the FortiGate configuration. Make sure this matches the Entra ID Identifier.

Fix 3: This may also be if the time in FortiGate and Azure is not in sync, which will cause authentication to fail with the error below seen in SAML debug:

 

__samld_sp_login_resp [843]: Clock skew tolerance: 0 
__samld_sp_login_resp [848]: Clock skew issue. <----
samld_send_common_reply [91]: Code: 5, id: 1, pid: 24566, len: 53, data_len 37
samld_send_common_reply [99]: Attr: 22, 12,
samld_send_common_reply [99]: Attr: 23, 25, Undefined error.
2024-10-21 16:26:11 [httpsd 24566 - 1729520771 error] saml_sp_acs_handler[823] -- Error in SP ACS handler. Response validation failed. SAML Response rejected.

 

  • Invalid HTTP request: typically, a typo/mismatch in Login/Logout URLs; verify URLs match exactly on both sides. Consider increasing remoteauthtimeout if needed.

 

ramirezc_39-1769040343196.png

 

config system global
    set remoteauthtimeout 120
end

 

An invalid HTTP request error occurs when a misconfiguration or typo error occurs in the login or logout URL. Check the configuration and make sure the URLs match exactly on both sides. A sample configuration from the CLI looks like the following: config system saml.

 

config sytem saml
    edit "ssl-azure-saml"
        set entity-id "https://<test-domain>:65443/remote/saml/metadata"
        set single-sign-on-url "https:// <test-domain>:65443/remote/saml/login"
        set single-logout-url "https:// <test-domain>:65443/remote/logout"

end 

 

  • Signature element not found after upgrade: on newer FortiOS releases, both SAML Response and Assertion may need to be signed. Update the Entra signing option accordingly.
  • AADSTS90002: Tenant '<tenant-ID>' not found. This may happen if there are no active subscriptions for the tenant. Check with the subscription administrator.

 

ramirezc_40-1769040343199.png

 

Fix: The tenant ID included in the IdP single sign-on URL configured on FortiGate is not correct. Make sure this value matches the Login URL from Entra.

 

Error: 'No group info in SAML response' or 'No user name info in SAML response'.

When seen, the logs below:

 

2024-12-04 13:24:10 [xxx]fsv_saml_login_response:697 No user name info in SAML response. Please check saml configuration.
2024-12-04 13:24:10 [xxxx]fsv_saml_login_resp_cb:225 SAML response error: 4.

 

Fix: Ensure Attributes and Claims are correctly configured. Select here for more information.

 

Microsoft documentation on how to add claims: Configure group claims for applications by using Microsoft Entra ID.

 

  • Unable to log into FortiGate GUI because SAML SSO is the default login, and it is not functional.

 

Fix: If SAML login is the default method and fails before a user is redirected back to the FortiGate, an administrator may not be given a chance to perform a standard local logon.


To get around this, log in by manually opening the SP ACS (login) URL (https://<fortigate>/saml/?acs ). Ignore the error displayed and proceed with 'select here to log in locally'. Afterward, the default login page can be switched to 'Normal' in the GUI.

 

In this case, the change can also be made via SSH/Console as below:

 

config system saml

    set default-login-page normal
end

 

  • The following message is seen in the SAML debug output: 'Failed to process response message. ret=101(Signature element not found.)'.

Fix: Starting from v7.2.12, v7.4.9, and v7.6.4, FortiGate verifies that both the SAML assertion and the response must be signed, not just the SAML assertion. To resolve the authentication issue, change the Signing Option in IDP 'Sign SAML assertion' to 'SAML response and Assertion'. Refer to the article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

 

ramirezc_41-1769040343200.jpeg

 

Notes:

As of FortiOS v8.0.0 (ETA Mar. 2026), v7.6.5, v7.4.10, v7.2.13, v7.0.18, and all later versions. The following FortiOS versions add a CLI option that allows administrators to control signature verification for SAML responses and assertions. The new CLI option is displayed below and allows administrators to select between requiring both the response and the assertion to be signed (enable, set by default) OR requiring that at least one of the two is signed (disable). 

 

See Introduction and supported models in the FortiOS release notes.

 

config user saml

    edit <name>

        set require-signed-resp-and-asrt <enable | disable>

    next

end

 

  • enable: Both response and assertion must be signed and valid (default).
  • disable: At least one of the responses or assertions must be signed and valid.

 

Additional notes:

  • Per-VDOM SAML admin authentication is not directly configurable; consider DNS/FQDN routing workarounds if this requirement exists.
  • IKE SAML port can be changed with auth-ike-saml-port if necessary.

 

Related documents:

    Terms & ConditionsAccessibility statement