Skip to main content
MichaelTorres
Staff
MichaelTorres
Staff
June 26, 2025

Troubleshooting Tip: VPN IKEv2 SAML in FortiGate do not work with FortiClient version 7.4.3

  • June 26, 2025
  • 0 replies
  • 2059 views
Description

This article describes a behavior where users correctly configured the Group ID for the SAML integration; however in the authentication does not work in IKEv2.
Scope FortiGate v7.4.7, FortiClient v7.4.3.
Solution

Users configure a SAML integration with a specific group ID.

 

config system global
    set allow-traffic-redirect disable
    set auth-ike-saml-port 10428

 

config user saml

    edit "saml"
        set cert "Fortinet_Factory"
        set entity-id "http://x.x.x.x:10428/remote/saml/metadata/"
        set idp-entity-id "https://sts.windows.net/942b80cd-xxxx-42a1-8dcf-4b21dece61ba/"
        set idp-cert "REMOTE_Cert_1"
    next

 

config user group

    edit "azure_group"
            set member "saml"
                config match
                    edit 1
                        set server-name "saml"
                        set group-name "c901e49d-3fff-41b5-910f-xxxxxxxx"

 

config vpn ipsec phase1-interface

    edit "vpn_car"
            set type dynamic
            set interface "port1"
            set ike-version 2
            set mode-cfg enable
            set ipv4-dns-server1 8.8.8.8
            set eap enable
            set eap-identity send-request
            set assign-ip-from name
            set ipv4-split-include "10.0.2.0"
            set ipv4-name "IPSEC_aDD"
            set client-auto-negotiate enable
      next

 

config firewall policy

    edit 8
            set name "VPN Inbound"
            set uuid b0bcc592-38c9-51f0-8e1c-ab03d67e8ef2
            set srcintf "vpn_car"
            set dstintf "port2"
            set action accept
            set srcaddr "IPSEC_aDD"
            set dstaddr "10.0.2.0"
            set groups "azure_group"
    next

 

config system interface

    edit "port1"
            set ike-saml-server "saml"
    next

 

In the debugs, the authentication process starts correctly, but it never finishes.

 

[authd_local_saml_auth:5778]: SAML login with UID 'DA715D9413064DD09C155EB6D427BC00'.
[authd_http_prepare_javascript_redir:3942]: https://x.x.x.x:10428/saml?070d048694950f1c

[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'azure_group'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-

[456] fnbamd_rad_get-vfid=0, name='EAP_PROXY'
[911] fnbamd_cfg_get_radius_list-Loaded RADIUS server 'EAP_PROXY'
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1

ep_fnbam_auth_wpa_user 401 -- svc_type='vpn-ikev2', user='DA715D9413064DD09C155EB6D427BC00', vdom='root', intf='FGVMXXXX'
fnbam_add_groups 304 -- Adding user usergroup azure_group
ep_fnbam_auth_wpa_user 500 -- auth_res=4.
ep_fnbam_auth_wpa_user 520 --auth sess added, ses_id=10204863078401

 

There is no output in the fnbamd debugs as explained in the following link, and authentication never works.

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 

 

Solution:

Disable the feature 'use external browser as user-agent for SAML user authentication' in the FortiClient settings.

Open FortiClient, navigate to Remote Access -> Edit IPSec VPN -> Single Sign On Settings -> Disable. Use an external browser as user-agent for SAML user authentication.

 

forticlient feature.png

 

Note:

Starting FortiOS v7.4.9, SAML using an external browser for authentication is supported:

New features or enhancements 
      Terms & ConditionsAccessibility statement