Skip to main content
mredus
mredus
Visitor III
November 17, 2022
Solved

SSL-VPN SAML SSO with Azure AD

  • November 17, 2022
  • 1 reply
  • 4097 views

 

Hello,

I have a FortiGate 60E appliance on which I am trying to enable SAML sign-on for the SSL-VPN portal. I have followed the steps in Fortinet's guide, as well as verifying everything using Microsoft's guide. SAML SSO does technically work, but it authenticates everyone as the "azure" user. Here are my configs:

FortiGate Side:

FW (saml) # show full config user saml     edit "azure"         set cert "{CERT}"         set entity-id "https://{FQDN}:8443/remote/saml/metadata";         set single-sign-on-url "https://{FQDN}:8443/remote/saml/login";         set single-logout-url "https://{FQDN}:8443/remote/saml/logout";         set idp-entity-id "https://sts.windows.net/{GUID}";         set idp-single-sign-on-url "https://login.microsoftonline.com/{GUID}/saml2";         set idp-single-logout-url "https://login.microsoftonline.com/{GUID}/saml2";         set idp-cert "REMOTE_Cert_1"         set user-name "username"         set group-name "group"     next end
 edit "AAD-{Group}"         set group-type firewall         set authtimeout 0         set auth-concurrent-override disable         set http-digest-realm ''         set member "azure"         config match             edit 1                 set server-name "azure"                 set group-name "{GUID}"             next         end     next

On the Azure side:

Basic SAML Settings

Identifier (Entity ID) - https://{FQDN}:8443/remote/saml/metadata Reply URL (Assertion Consumer Service URL) - https://{FQDN}:8443/remote/saml/login Sign on URL - https://{FQDN}:8443/remote/saml/login Logout Url (Optional) - https://{FQDN}:8443/remote/saml/logout

Attributes and Claims

givenname user.givenname surname user.surname emailaddress user.mail name user.userprincipalname username user.userprincipalname group user.groups name user.userprincipalname  Unique User Identifier user.userprincipalname

 

 

Again, the whole SSO process works, but the user is just being signed in to the FortiGate as "azure". Through some debug commands (as well as a browser plugin that captures SAML conversations) I can see that the user's identification is being passed to the FortiGate by Azure. Any help here is appreciated.

mredus_1-1668717454094.png

 

Best answer by kiri

Hi mredus,

Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:

716622 [b087] All SSLVPN users logged in via SAML have the same login username

It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues

What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.

Have you found a solution? Then give your helper a "Like" and mark the solution.

1 reply

kiri
Staff & Editor
kiriAnswer
Staff & Editor
November 18, 2022

Hi mredus,

Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:

716622 [b087] All SSLVPN users logged in via SAML have the same login username

It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues

What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.

Have you found a solution? Then give your helper a "Like" and mark the solution.

    mredus
    mredusAuthor
    Visitor III
    November 18, 2022

    Thank you for the reply, we are indeed running a slightly older firmware (6.2.3:1066). We had suspicions that a firmware update would fix this but just haven't had the opportunity to bring the firewall down to patch it yet. I'm glad to see that that is actually hopefully the case. 

     

    Thanks again!

    Terms & ConditionsAccessibility statement