Skip to main content
bizonek
bizonek
New Member
February 3, 2021
Question

SSLVPN with Azure SAML

  • February 3, 2021
  • 3 replies
  • 16312 views

Hi

 

My test environment is: FortiGate 61E with firmware 6.4.4.

I have successfully configured SSO for administrators using Fabric Setup and this part works perfectly. Now I would like to continue this successful story by adding SAML authentication to SSL VPN for other mortals.

 

My configuration: config user saml

    edit "ssl-azure-saml"         set cert "Fortinet_Factory"         set entity-id "http://_____IP:PORT_____/metadata/"         set single-sign-on-url "https://_____IP:PORT_____/saml/?acs"         set single-logout-url "https://_____IP:PORT_____/saml/?sls"         set idp-entity-id "https://sts.windows.net/___IdP_id______/"         set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"         set idp-cert "REMOTE_Cert_2"         set user-name "username"     next end config user group     edit "saml_grp"         set member "ssl-azure-saml"     next end config vpn ssl settings     set ssl-min-proto-ver tls1-1     set servercert "Fortinet_Factory"     set idle-timeout 0     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 20443     set source-interface "wan1"     set source-address "all"     set source-address6 "all"     set default-portal "No_Access"     config authentication-rule         edit 1             set groups "VPN_Client"             set portal "full-access"         next         edit 2             set groups "saml_grp"             set portal "full-access"         next     end end[

 

config system global     set remoteauthtimeout 60 end

/code]

 

But when I try to connect using SAML I get error.

 

Please help :)

3 replies

bizonek
bizonekAuthor
New Member
February 8, 2021

So the problem was with endpoints

 

config user saml     edit "ssl-azure-saml"         set cert "Fortinet_Factory"         set entity-id "https://_____IP:VPN_PORT_____/remote/saml/metadata"

        set single-sign-on-url "https://_____IP:VPN_PORT_____/remote/saml/login"         set single-logout-url "https://_____IP:VPN_PORT_____/remote/saml/logout"         set idp-entity-id "https://sts.windows.net/___IdP_id______/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"         set idp-cert "REMOTE_Cert_2"   <----- downloaded cert was a different that was expected, I get it from SAML request         set user-name "username"     next end

 

I did not added a group saml to correct policy (if you open a web access page and there is no "Single Sign-On" then problem is with Policy) - WTF

 

Helpful links

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial#configure-fortigate-ssl-vpn-sso

https://docs.fortinet.com/document/fortigate/6.4.0/azure-cookbook/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp

 

    goenacc
    goenacc
    Visitor III
    February 8, 2022

    We hit the Invalid HTTP request issue when we setup the Azure SAML. We had SSLVPN configured and already in production use. We re-used the same users group, because we had many policy attached to the groups. We had to log ticket to Fortinet to get this resolve. The fix was go to the firewall policy and edit one of the policy. Remove the user group and add a dummy group, then hit apply. Then go back to the same policy and reverse the change.

     

    Fortinet support said this simple exercise somehow refreshed the SAML / SSLVPN process.

    techjedi11
    techjedi11
    Visitor III
    July 15, 2022

    Removing the SAML group from my firewall policy, saving, then re-adding the group fixed the Invalid HTTP request for me as well. Thanks for posting your solution!

    RachelGomez123
    RachelGomez123
    New Member
    August 16, 2022

    When you integrate FortiGate SSL VPN with Azure AD, you can:

     

    Use Azure AD to control who can access FortiGate SSL VPN.
    Enable your users to be automatically signed in to FortiGate SSL VPN with their Azure AD accounts.
    Manage your accounts in one central location: the Azure portal.

    To get started, you need the following items:

    An Azure AD subscription. If you don't have a subscription, you can get a free account.
    A FortiGate SSL VPN with single sign-on (SSO) enabled.

     

    Greeting,

    Rachel Gomez

      Terms & ConditionsAccessibility statement