Skip to main content
lp_retelit
lp_retelit
New Member
February 12, 2025
Question

Changing SAML configuration: Entity ID, SSO URLs

  • February 12, 2025
  • 1 reply
  • 1692 views

Hello,

 

we've configured SAML VPN SSL Login with Azure AD and everything is working.


When we've configured the connector we used IP address of VPN SSL service of Fortigate like this:


set entity-id "https://X.X.X.X:XXXX/remote/saml/metadata"
set single-sign-on-url "https://X.X.X.X:XXXX/remote/saml/login"

 

Now we've create an FQDN to access the VPN service like sslvpnurl.domain.com.

 

When authenticating via Forticlient users receive a certificate error because even though the certificate configured is correct on Fortigate (*.domain.com) and Forticlient is configured to use FQDN, the SAML configuration is configured with IP address, so I think it's there the problem.

 

Now I would like to change the Entity ID, SSSO Sing In and Sign Out URL on Fortigate configuration like this:
set entity-id "https://sslvpnurl.domain.com:XXXX/remote/saml/metadata"
[....] [...]

so the error would disappear, I believe.

Do I have to change the same configuration on Azure side, otherwise auth would not work anymore or not?

 

Thanks

BR

 

 

 

Now I would like to 

1 reply

shikhakolekar
Staff
shikhakolekar
Staff
February 14, 2025

Hello, 

 

If URLs are set with IP and on certificate the Subject alternative name is different from the domain used, yes you will have to change the config 

 

From

set entity-id "https://X.X.X.X:XXXX/remote/saml/metadata"
set single-sign-on-url "https://X.X.X.X:XXXX/remote/saml/login"

 

To

set entity-id "https://sslvpnurl.domain.com:XXXX/remote/saml/metadata"
[....] [...]

 

IDP and SP URL's should match else auth will not work anymore

 

More information of how the certs work and common errors:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-TLS-and-the-use-of-Digital-Certificates/ta-p/214958

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fixing-the-error-Certificate-file-is/ta-p/196187

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-generate-wildcard-CSR/ta-p/195414

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-avoid-certificate-error-message-by-chaining/ta-p/196605

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Common-problems-and-causes-when-using-SAML/ta-p/199784

 

Thank you

 

 

Terms & ConditionsAccessibility statement