Configuring SAML SSO Entra Login

Question

Hello everyone,currently we are hanging in the SAML Entra SSO Setup. I checked the recommends Articles here in the Support Forum and watched serveral Videos.Firmware: v7.4.5 build2702Model: FortiGate 101F After the SAML login via the FortiClient and Enter the M365 Credentials, follwing Error Appear: Configuration on the Fortigate:User & Authentication > Single-Sign-onService Provider ConfigurationAddress: "forti-fqdn:6443" Entity ID: "http://forti-fqdn:6443/remote/saml/metadata/" Assertion consumer service URL: "https://forti-fqdn:6443/remote/saml/login" Single logout service URL: "https://forti-fqdn:6443/remote/saml/logout" Identity Provider ConfigurationEntity ID: "https://sts.windows.net/xxxx/" Assertion consumer service URL: "https://login.microsoftonline.com/xxxx/saml2" Single logout service URL: "https://login.microsoftonline.com/xxxx/saml2"  Certifcate Import from Entra  Additional SAML AttributesAttribute used to identify users: nameAttribute used to identify groups: groups The Identity Provider Configuration URLs are also stored in the SAML SSO Settings under Security Fabric. On the Entra side I add the Forttigate SSL VPN Enterprise Application.Basic SAML ConfigurationIdentifier (Entity ID): "http://forti-fqdn:6443/metadata/" Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs" Sign on URL: "https://forti-fqdn:6443/saml/login/" Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"Create a security Group that are assigend to the App. Following this example, I have linked the group ID with the Forti: config user group     edit "SAML_AZ_ALL"         set member "azure-saml"         config match             edit 1                 set server-name "azure-saml"                 set group-name "YYY-a79a-40f0-a2df-XXX"             next         end     next endA Firewall Rule for the created "SAML_AZ_ALL" Group was added (Incoming Interface SSL-VPN) When testing the connection from entra, I get the following error message: ForbiddenYou don't have permission to access /saml/login/ on this server. Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request. So an error must have crept in somewhere, I am currently at a loss.Perhaps someone has a tip on what I can still adjust or have forgotten. I am grateful for any support

pminarik · Accepted Answer

> On the Entra side I add the Forttigate SSL VPN Enterprise Application. > Basic SAML Configuration> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/" > Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs" > Sign on URL: "https://forti-fqdn:6443/saml/login/" > Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"   The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).

baraja · Answer

HiI have the same issue but no solution yet. I always get the same error back. Also the error with #Lassoserver  config user saml    edit "azure"        set cert "forst.fortiddns.com"        set entity-id "http://FQDN:400/remote/saml/metadata/"        set single-sign-on-url "https://FQDN:400/remote/saml/login"        set single-logout-url "https://FQDN:400/remote/saml/logout"        set idp-entity-id "https://MSID/"        set idp-single-sign-on-url "https://login.microsoftonline.com/MSID/saml2"        set idp-single-logout-url "https://login.microsoftonline.com/MSID/saml2"        set idp-cert "REMOTE_Cert_1"        set user-name "username"        set group-name "group"        set digest-method sha1    nextend

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded