Skip to main content
julianhaines
julianhaines
Explorer II
October 16, 2024
Solved

Setting up FortiGate Web Authentication and SAML as idP

  • October 16, 2024
  • 2 replies
  • 2464 views

Hi,

 

I am trying to set up FortiGate Web Authentication and SAML as idP but I am having issues, I am following this guide https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/33053

 

I have setup but the authentication portal is not kicking in, I have seen that on the Fortigate in the Interface, you can enable Security Mode "Capture Portal", does this need enabling as not mentioned in the guide?

 

Overview of what I have done.

1. Created Enterprise App in Entra ID.

2. Created a group in Entra ID added users and assigned to App.

3. Created a Single Sign-on on the FortiGate pointing to the Enterprise App.

4. Create a group on the FortiGate and set the Remote Server to Fortigate the Single-Sign-on and the Enterprise App group ID.

5. Created a Firewall rule to allow traffic out and added the Fortigate group created in step 4.

6. Create a Firewall rule to allow traffic in.

 

When I test from a client PC or the Enterprise App I get 2This site can't be reached."

 

I feel as if port 1003 is not enabled or working, do I need to allow this port or another step to enable Capture Port?

 

 

 

 

 

 

 

 

 

 

Best answer by Ade_23

Hello julianhaines,

 First of all, you do not need a rule to allow traffic in for SAML authentication.

Please run a saml debug on the FortiGate to see if you get any output.?

Also, please enable captive portal with IP 0.0.0.0 under authentication settings and try that way.

 

 

2 replies

nradia_FTNT
Staff
nradia_FTNT
Staff
October 16, 2024

Hello,

 

You can use following useful KB article to capture traffic:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

 

You can sniff with port number in question :

e.g.

 

diag sniff pack any "host x.x.x.x and port 1003" 4 0 l  (where x.x.x.x is the destination or source ip in question)  or you can just sniff with port number like: diag sniff pack any "port 1003" 4 0 l

 

Also a KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/ta-p/194656

Ade_23
Staff
Ade_23Answer
Staff
October 17, 2024

Hello julianhaines,

 First of all, you do not need a rule to allow traffic in for SAML authentication.

Please run a saml debug on the FortiGate to see if you get any output.?

Also, please enable captive portal with IP 0.0.0.0 under authentication settings and try that way.

 

 

    Terms & ConditionsAccessibility statement