Skip to main content
TheHoff1
TheHoff1
New Member
October 17, 2022
Solved

Fortigate AzureAD SSO VPN immediate disconnect

  • October 17, 2022
  • 2 replies
  • 11990 views

We have setup our Fortigate 80F to connect to our AzureAD. All seems to work fine, but users immediately logout after the credentials are checked.

 

So either if we connect through the webinterface or the FortiClient software, we fill in the credentials of the user.

The login is validated and immediately we get 'Microsoft: You've signed out of your account.'

Followed by a 'Session ended' screen from the Fortigate.

 

I have followed all steps here: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial#configure-azure-ad-sso

 

But I seem to have missed something. Anyone any idea?

Best answer by Anonymous_User

Hello 

 

Normally we would need debug to be able to provide a solution but I would first recommend to recheck the setup since this is a new configuration which never worked before : 

 

So please refer to this complete step by step guides 

 

1)

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812

 

2)https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/

 

After checking the configuration ,I would kindly ask you to run the following debugs, and try to reproduce the issue:

 

diag debug reset

diag debug console timestamp enable

diag debug app samld -1

diag debug app sslvpn -1

diag debug enable

 

Please also note the username used in the test, which group should the user be a member of and which SSLVPN portal you expect the user to be mapped to.

 

Also please refer to the last session on this article for the mos common issues and misconfigs

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SAML-authentication-resource-list/ta-p/213924

 

Please let us know the outcome and if the issue still persists

 

Regards

Edvin.

2 replies

A
Anonymous_UserAnswer
Contributor
October 18, 2022

Hello 

 

Normally we would need debug to be able to provide a solution but I would first recommend to recheck the setup since this is a new configuration which never worked before : 

 

So please refer to this complete step by step guides 

 

1)

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812

 

2)https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/

 

After checking the configuration ,I would kindly ask you to run the following debugs, and try to reproduce the issue:

 

diag debug reset

diag debug console timestamp enable

diag debug app samld -1

diag debug app sslvpn -1

diag debug enable

 

Please also note the username used in the test, which group should the user be a member of and which SSLVPN portal you expect the user to be mapped to.

 

Also please refer to the last session on this article for the mos common issues and misconfigs

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SAML-authentication-resource-list/ta-p/213924

 

Please let us know the outcome and if the issue still persists

 

Regards

Edvin.

    TheHoff1
    TheHoff1Author
    New Member
    October 19, 2022

    Hi,

     

    Thanks so much for the links. I have figured out what I did wrong.

     

    For some reason the tut I had, set the config user group
    FortiGateAccess/config match/edit 0 to 1.

    And for Group-name <Group Object id>, I accidentally set my tenantID. That would explain it all.

     

    Cheers!

     

    A
    Anonymous_User
    Contributor
    October 19, 2022

    Hi 

     

    That's great to hear

     

    Thanks for sharing the fix  and enriching our knowledge sharing community

     

    Cheers!

    Edvin.

    Terms & ConditionsAccessibility statement