saml Azure AD - ssl-vpn - forticlient time out

Question

Hello,

I have configured our Fortigate to authenticate our ssl-vpn users with Azure AD. I've configured the enterprise app within Azure AD and configured the SAML user within the Fortigate.

I have no issues when I login the web-mode.

However when I try to connect with the Forticlient I receive a blank sceen after passing the authentication. After a while I receive the following error "Login page did not respond within time limit." The second time i press SAML Authentication the forticlient connects within seconds.

I reckon one of the URL's might be different for tunnel-mode / web-mode. Did anyone manage to find a solution for this issue?

IvK · Accepted Answer

You are correct. Just Azure-AD no other. Azure-ad is an Identity provider. Just make sure your fortigate has his firmware above 6.4.X.

I've written a blog post about it:

Ivo-Security - Fortigate and Azure AD: Safe remote access (ivo-security.blog)

I've also written a blog about the Azure-AD Dynamic Groups in combination with Fortigate:

Ivo-Security - Fortigate policy’s based on Azure Dynamic Groups (ivo-security.blog)

useradmn · Answer

I've got the same issue and Fortinet seems to think it is Microsoft not responding. I don't think so, because the logs on microsoft's side shows where response is sent. I think Fortinet has some work to do on their end.

I also get hit/miss activity when Azure users try to authenticate after doing MFA. Of course, Fortinet points the finger at Microsoft, but Microsoft has shown proof of response. I'm thinking the Forticlient needs to be fixed.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded