Skip to main content
JohnStep
JohnStep
New Member
September 19, 2025
Question

Fortigate SSO Office 365 for SSL/VPN

  • September 19, 2025
  • 1 reply
  • 973 views

Hi,

 

I have configured SSO to Entra 365 on a Fortigate 40F running 7.0.13. I created a trusted certificate and added it to the Fortigate. When I use the FQDN to connect to the SSL port and use SSO it never works properly always seeming to time out, especially after signing in on the 365 side and it relays back to the Fortigate. I did adjust the remote timer. However when configuring in Forticlient, if I use the IP address I get a self-signed warning but am able to connect to the VPN after signing in using SSO. 

 

Is there some kind of DNS thing I need to do on the Fortigate? I notice the web listening mode in SSL/VPN settings is showing the IP address and not the FQDN. 

 

I am highly certain all  the SAML stuff is all good as I have beat this up for a few days. 

 

So thinking its a DNS resolving issue. I have already placed an A record on my public DNS. And I can always sign-in without fail using the FQDN to the web admin interface. 

1 reply

Atul_S
Staff & Editor
Atul_S
Staff & Editor
September 21, 2025

Hi John,

 

Could you pls confirm if the FQDN defined in the SAML metadata matches the FQDN used by the end user? Also, it is worth checking if the trusted certificate installed on the FortiGate includes this FQDN in either the CN or SAN fields.

JohnStep
JohnStepAuthor
New Member
September 21, 2025

Thanks for getting. The FQDN looks solid and matches in the Saml configs both in Fortigate and on Entra (365 Azure). The trusted certificate also looks correct. I noticed in Entra that you can't create groups inside the app. without having a P1 or P2 license. I am only testing with myself as a single user and have assigned myself. But does this setup require group setups as well? Not sure if that is the issue? It just seems to time out after I successfully login using 2 factor. It's like the Fortigate is not responding as I assume at that point the traffic is connecting back to the Fortigate to complete the VPN SSL connection.

Atul_S
Staff & Editor
Atul_S
Staff & Editor
September 21, 2025

Hi John,

 

The group configuration is not necessary if you are testing with a single user.

 

As you have confirmed that the configs looks intact and you have received the 2FA, consider adjusting the remote auth timer as below:

 

config system global

set remoteauthtimeout xx

end

 

Thanks,

Terms & ConditionsAccessibility statement