Skip to main content
fabs
fabs
Visitor III
December 4, 2024
Question

7.6.0 / IPsec SAML EntraID / ERR_EMPTY_RESPONSE

  • December 4, 2024
  • 2 replies
  • 11694 views

Hello all,

I am currently in the process of setting up VPN IPsec via SAML EntraID.
I followed this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Microsoft-Entra-ID-SAML/ta-p/307457

However, when connecting to the FortiClientVPN 7.4.0.1658, I promptly get “ERR_EMPTY_RESPONSE” back during SSO.

The URL information in the EntraID Enterprise Application and in my Idp settings on the Fortigate is correct.

 

Have an SSL VPN SAML EntraID perfectly working. Does anyone have an idea what could be the problem?

2 replies

sjoshi
Staff
sjoshi
Staff
December 4, 2024

Hi,

 

You can take samld debug and ssl vpn debug on the FortiGate that will give better clarity on the issue

Refer:-

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Companion-for-troubleshooting-SSL-VPN-with/ta-p/217719

Thanks, Salon
fabs
fabsAuthor
Visitor III
December 4, 2024

Thanks I'll looking in the debug.
For CA issue we need to have the external browser for SSO, FortiClientVPN 7.4.0.1658 gives me not this setting for IPsec, so I've installed the latest version FortiClientVPN 7.4.1 but when I select external browser, after clicking connect it directly stop and no browser session opened.

sjoshi
Staff
sjoshi
Staff
December 4, 2024

Have you tested with other PC too..from all the system the behaviour is same?

Thanks, Salon
fabs
fabsAuthor
Visitor III
December 6, 2024

Hello guys,

I have now also been able to solve the problem with the EAP auth.
The connection now works with Windows and iOS.

The reason was that I had forgotten to set the "group" user.groups claim in the SSO settings under Attributes & Claims in the EntraID Enterprise app, and I had also forgotten to set the username  user.principalname claim.

But the issue with the EntraID CA Policy when I try to connect with my iPhone is still there. 

"AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy.
Supported device platforms are: iOS, Android, Mac, and Windows flavors."

It looks like that the SSO prompt on SSL VPN will be done by Safari, and the IPsec SSO prompt by the inbuild browser of forticlientvpn?

sjoshi
Staff
sjoshi
Staff
December 6, 2024

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implementing-device-based-Conditional-Access/ta-p/267878/redirect_from_archived_page/true

 

 

Thanks, Salon
fabs
fabsAuthor
Visitor III
December 6, 2024

Hello @sjoshi 
The Windows FortiClientVPN is working fine.
The CA issue is with the iOS FortiClientVPN, and only with IPSec connection.

When connecting via SSL VPN
ssl_vpn.png

When connecting with IPsec VPN

ipsec_vpn.png
So the User Agent is not valid, so my CA is blocking that because it's not detecting compliant device.

Terms & ConditionsAccessibility statement