Skip to main content
jcrower
jcrower
Explorer II
March 12, 2024
Solved

SSLVPN SSO - access denied and Failed to Create SP errors

  • March 12, 2024
  • 5 replies
  • 5540 views

Hey all,

 

Fortigate 81f with 7.0.14

 

Attempting to get SSLVPN SSO working with Microsoft Entra ID.  The process is failing before getting any type of login prompt.

 

Testing from the FortiClient I get "The response from https://vpn.domain.com was invalid."
Testing from the Test option within Entra ID I get - Access Denied (from https://vpn.domain.com page)

 

I've double checked all the URL's between the Entra ID application and the saml config.  The SSO group on the Fortigate is in the firewall policy.

 

Sanitised config:

config user saml
  edit "Entra ID VPN"
    set entity-id "http://vpn.domain.com/remote/saml/metadata/"
    set single-sign-on-url "https://vpn.domain.com/remote/saml/?acs"
    set single-logout-url "https://vpn.domain.com/remote/saml/?sls"
    set idp-entity-id "https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/"
    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
    set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
    set idp-cert "REMOTE_Cert_1"
    set user-name "username"
    set group-name "group"
    set digest-method sha256
next

saml vpn.png

SAML debug

samld_process_request [157]: Could not get resp_attrs: code=1, resp_attrs_len=0
gen_sp_server [325]: Failed to create SP

 SSLVPN debug has this as the last entry before it fails.

2024-03-12 12:20:59 [405:root:1df9][fsv_found_saml_server_name_from_auth_lst:125] Found SAML server [Entra ID VPN] in group [FortigateVPNAccess]

Does anyone know where else to look to find the issue? With the Access Denied message, what was denied access by whom?

 

thanks

jc

Best answer by hbac

@jcrower.,

 

Please try the following URLs instead: 

 

Entity ID: http://x.x.x.x/remote/saml/metadata/
single-sign-on-url: https://x.x.x.x/remote/saml/login
single-logout-url: https://x.x.x.x/remote/saml/logout

 

Regards, 

5 replies

jcrower
jcrowerAuthor
Explorer II
March 12, 2024

Thanks for the reply @jimbey2, so the access denied is from the Fortigate?

 

When you say to re-create a new IPv4 Policy, do you mean the Firewall rule?  I added the SSO group to the existing rule (we are using an ldap lookup at the moment to on-premises AD).

ozkanaltas
ozkanaltas
Valued Contributor III
March 12, 2024

Hello @jcrower ,

 

Can you try reconfiguring your sp urls without a question mark? 

 

config user saml   edit "Entra ID VPN"     set entity-id "http://vpn.domain.com/remote/saml/metadata/"     set single-sign-on-url "https://vpn.domain.com/remote/saml/acs"     set single-logout-url "https://vpn.domain.com/remote/saml/sls"
    hbac
    Staff
    hbac
    Staff
    March 12, 2024

    Hi @jcrower,

     

    Please double check and verify URLs on both sides. FortiGate entiry ID starts with 'http' but on Azure, it shows 'https'. 

     

    Regards, 

      jcrower
      jcrowerAuthor
      Explorer II
      March 12, 2024

      Thanks for the replies everyone.

       

      I changed the URL's to match exactly:

      • no question marks (the Fortigate created those automatically but I removed them)
      • all https
      • ending back slash only for the Microsoft Entra Identifier

      I also created a new firewall policy (basically cloning the existing one, but with just the SSO group) and put it before our current working one.  I'm not seeing any hits on it though when I attempt to log in.

       

      I still get the same errors :(

       

      There is something.  Because of the M365 plan we are on, I cannot add groups to the User and groups area, only specific users.  Will this change how it's configured, or if it will even work?

       

      Screenshot 2024-03-13 102047.png

       

      EDIT: that can't be the problem, the online instructions only state adding a user to that area.  I have created a Security Group within Azure, have added that user to the Security Group and specified the Object ID of that group within the Frotigate SSO Group.

       

      https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial#configure-and-test-microsoft-entra-sso-for-fortigate-ssl-vpn

      hbac
      Staff
      hbacAnswer
      Staff
      April 4, 2024

      @jcrower.,

       

      Please try the following URLs instead: 

       

      Entity ID: http://x.x.x.x/remote/saml/metadata/
      single-sign-on-url: https://x.x.x.x/remote/saml/login
      single-logout-url: https://x.x.x.x/remote/saml/logout

       

      Regards, 

        jcrower
        jcrowerAuthor
        Explorer II
        April 12, 2024

        Thanks @hbac, as simple as that!  It's working... kind of.

         

        It seems a bit buggy though.  The Windows client seems to work fine (mostly).

         

        I tested the Android client (Samsung A14 Android 14) and it first said it required Chrome which is annoying as I don't use Chrome.  Anyway I 'enabled' Chrome, it takes me to the login screen, asks for the MFA sign in.  I switch to the Authenticator, type in the number, switch back to the Forticlient and it just sits there with the Approve sign in request screen.

         

        If I close and reopen Forticlient it goes back to the Forticlient login screen.

        csovike10
        csovike10
        New Member
        April 3, 2024

        I have the same problem with the same FortiOS version and a very similar configuration.

        I will try to find a solution, but if you found one please share it with me.

        May I try to upgrade the FortiOS to 7.2.

        Terms & ConditionsAccessibility statement