New Member

Question

SSL VPN and azure saml not permitted

Forum|Forum|1 year ago
March 13, 2025
2 replies
1765 views

I'm attempting to set up Azure AD authentication and I have followed the instructions at https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/ to the letter up until the point where it talks about "FortiClient EMS setup" as AFAIK we don't have that and I can't find any reference to it. Regardless it seems to be talking to the azure app as when I login as an azure user I see in the logs

[fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure-saml] in group [ALM-Staff]

but I then get

login_failed:391 user[username@domain.com],auth_type=1 failed [sslvpn_login_permission_denied]

Now ALM-Staff is a local user group that can already login to the VPN (which would've been nice to know when I was setting up the groups). Following the guide I set up azure-saml and SAML_AZ_ALL using something like

config user saml     edit "azure-saml"         set cert "Fortinet_Factory"         set entity-id "https://example-company.com:10443/remote/saml/metadata/"         set single-sign-on-url "https://example-company.com:10443/remote/saml/login/"         set single-logout-url "https://example-company.com:10443/remote/saml/logout/"         set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"         set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"         set idp-cert "REMOTE_Cert_1"         set user-name "username"         set group-name "group"     next end

and

config user group     edit "SAML_AZ_ALL"         set member "azure-saml"         config match             edit 1                 set server-name "azure-saml"                 set group-name "YYY-a79a-40f0-a2df-XXX"             next         end     next end

What more do I need to do to tell the fortinet appliance to use saml? Is the existing login scheme overriding it? I just get a fortinet login page saying "Error: Permission denied" and at no point does it bring up the azure login.

MZBZ

Staff

Have u selected SSO(=SAML) for the client side vpn profile?!

MaeIstromAuthor

New Member

Where do I find the client side vpn profile? I can't see anything resembling that phrase in the fortinet menu. It's running V7.012 if that's relevant.

pminarik

Staff

You should review the SAML response when it is received by the FortiGate from the IdP, and check if it contains the group's UUID as expected.

enable samld debug output:

di de app saml -1

di de app sslvpn -1

di de enable

Reproduce the authentication attempt (with FortiClient or webmode)
Search through the output for the dump of the SAML reply. It should be looong XML output starting with something like <samlp:Response ...
You can paste it into some text editor of your choice and format it properly (add newlines and indentation), and then search for the user/group attributes and validate their contents.

MaeIstromAuthor

New Member

Is there a way to modify those commands to only show output from my IP? The router is being hammered with bots trying to login and the debugging output is constantly scrolling off screen. I was able to slow it down by firewalling the vpn off to my machine which was how I got to find out there was existing vpn with users when the angry phone calls started coming in. But in that brief period of looking at the logs I didn't see any XML output or SAML replies. The only line that even mentioned saml was

[fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure-saml] in group [ALM-Staff]

There's also no record of any connections in the azure logs.

MZBZ

Staff

sslvpn daemon logs can be filtered, but saml and fnband have no log filter:

SSL VPN disconnection issues when connect... - Fortinet Community

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded