Skip to main content
K
kefflar
New Member
June 2, 2026
Solved

SSO with EntraID certificate problem

  • June 2, 2026
  • 3 replies
  • 63 views

Hello, 

 

My Firmware is 7.4.11 I managed to get SSO authentication working correctly via EntraID. The last thing I wanted to do was connect it to the FQDN and run it via my own SSL certificate. I have the certificate imported and it works correctly on the Fortigate login page. I can't get this certificate to work on the authentication port. The default certificate is still visible.
FortiGate-60F # get vpn certificate local
== [ Fortinet_Factory ]
name: Fortinet_Factory   
== [ Fortinet_Factory_Backup ]
name: Fortinet_Factory_Backup   
== [ Fortinet_CA_SSL ]
name: Fortinet_CA_SSL   
== [ Fortinet_CA_Untrusted ]
name: Fortinet_CA_Untrusted   
== [ Fortinet_SSL ]
name: Fortinet_SSL   
== [ Fortinet_GUI_Server ]
name: Fortinet_GUI_Server   
== [ Fortinet_SSL_RSA1024 ]
name: Fortinet_SSL_RSA1024   
== [ Fortinet_SSL_RSA2048 ]
name: Fortinet_SSL_RSA2048   
== [ Fortinet_SSL_RSA4096 ]
name: Fortinet_SSL_RSA4096   
== [ Fortinet_SSL_DSA1024 ]
name: Fortinet_SSL_DSA1024   
== [ Fortinet_SSL_DSA2048 ]
name: Fortinet_SSL_DSA2048   
== [ Fortinet_SSL_ECDSA256 ]
name: Fortinet_SSL_ECDSA256   
== [ Fortinet_SSL_ECDSA384 ]
name: Fortinet_SSL_ECDSA384   
== [ Fortinet_SSL_ECDSA521 ]
name: Fortinet_SSL_ECDSA521   
== [ Fortinet_SSL_ED25519 ]
name: Fortinet_SSL_ED25519   
== [ Fortinet_SSL_ED448 ]
name: Fortinet_SSL_ED448   
== [ Fortinet_Wifi ]
name: Fortinet_Wifi   
== [ *.mycert.pl ] 
name: *.mycert.pl  

FortiGate-60F # show user setting 
config user setting
    set auth-cert "*.mycert.pl"
end

 

What else should I check? 

    Best answer by kefflar

    It seems the problem was with the SSL certificate. The certificate is a wildcard for the main domain, but it cannot be selected in the SSO configuration. I used a Lets Encrypt certificate generated from FortiGate, and I was able to select that one.

    3 replies

    Sheikh
    Staff
    Sheikh
    Staff
    June 2, 2026

    Hello ​@kefflar,

    If SAML SSO with Microsoft Entra ID is working but the captive portal/authentication page still presents the default Fortinet certificate, verify that the certificate configured under “config user setting” is actually being used by the authentication daemon and that the certificate contains the correct FQDN in the CN/SAN fields.

    Moreover, please ensure that the certificate chain is completed.


    fnbamd logs might show more details.

    #diagnose debug application fnbamd -1

     

    regards,

    Sheikh

    If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
    K
    kefflarAuthor
    New Member
    June 2, 2026

    It looks like still using FortiGate default certificate: 
    handle_req-Rcvd auth_cert req id=1486293803039, len=6380, opt=8
    [1161] __cert_auth_ctx_init-req_id=1486293803039, opt=8
    [1178] __cert_auth_ctx_init-OCSP resp is found.
    [103] __cert_chg_st- 'Init'
    [201] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
    [839] __cert_init-req_id=1486293803039
    [888] __cert_build_chain-req_id=1486293803039
    [319] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
    [337] fnbamd_chain_build-Following depth 0
    [382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
    [337] fnbamd_chain_build-Following depth 1
    [382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
    [337] fnbamd_chain_build-Following depth 2
    [351] fnbamd_chain_build-Self-sign detected.
    [99] __cert_chg_st- 'Init' -> 'Validation'
    [1010] __cert_verify-req_id=1486293803039
    [1011] __cert_verify-Chain is complete.
    [481] fnbamd_builtin_cert_check-Following cert chain depth 0
    [481] fnbamd_builtin_cert_check-Following cert chain depth 1
    [504] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
    [481] fnbamd_builtin_cert_check-Following cert chain depth 2
    [521] fnbamd_builtin_cert_check-Certificate status is unchecked.
    [1051] __cert_verify_do_next-req_id=1486293803039
    [99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
    [1075] __cert_ocsp_check-req_id=1486293803039
    [334] fnbamd_verify_ocsp_response-Cert status: GOOD.
    [256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
    [99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
    [1098] __cert_done-req_id=1486293803039
    [1559] fnbamd_auth_session_done-Session done, id=1486293803039
    [1144] __fnbamd_cert_auth_run-Exit, req_id=1486293803039
    [1602] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=1486293803039
    [1515] auth_cert_success-id=1486293803039
    [1256] fnbamd_cert_auth_copy_cert_status-req_id=1486293803039
    [1383] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=1486293803039
    [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1486293803039, len=2592
    [1390] destroy_auth_cert_session-id=1486293803039
    [1228] fnbamd_cert_auth_uninit-req_id=1486293803039
    [1877] fnbamd_ldaps_destroy-
    [1447] fnbamd_rads_destroy-
    [2416] handle_req-Rcvd auth_cert req id=1486293803040, len=6380, opt=8
    [1161] __cert_auth_ctx_init-req_id=1486293803040, opt=8
    [1178] __cert_auth_ctx_init-OCSP resp is found.
    [103] __cert_chg_st- 'Init'
    [201] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
    [839] __cert_init-req_id=1486293803040
    [888] __cert_build_chain-req_id=1486293803040
    [319] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
    [337] fnbamd_chain_build-Following depth 0
    [382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
    [337] fnbamd_chain_build-Following depth 1
    [382] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
    [337] fnbamd_chain_build-Following depth 2
    [351] fnbamd_chain_build-Self-sign detected.
    [99] __cert_chg_st- 'Init' -> 'Validation'
    [1010] __cert_verify-req_id=1486293803040
    [1011] __cert_verify-Chain is complete.
    [481] fnbamd_builtin_cert_check-Following cert chain depth 0
    [481] fnbamd_builtin_cert_check-Following cert chain depth 1
    [504] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
    [481] fnbamd_builtin_cert_check-Following cert chain depth 2
    [521] fnbamd_builtin_cert_check-Certificate status is unchecked.
    [1051] __cert_verify_do_next-req_id=1486293803040
    [99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
    [1075] __cert_ocsp_check-req_id=1486293803040
    [334] fnbamd_verify_ocsp_response-Cert status: GOOD.
    [256] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
    [99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
    [1098] __cert_done-req_id=1486293803040
    [1559] fnbamd_auth_session_done-Session done, id=1486293803040
    [1144] __fnbamd_cert_auth_run-Exit, req_id=1486293803040
    [1602] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=1486293803040
    [1515] auth_cert_success-id=1486293803040
    [1256] fnbamd_cert_auth_copy_cert_status-req_id=1486293803040
    [1383] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=1486293803040
    [239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1486293803040, len=2592
    [1390] destroy_auth_cert_session-id=1486293803040
    [1228] fnbamd_cert_auth_uninit-req_id=1486293803040
    [1877] fnbamd_ldaps_destroy-
    [1447] fnbamd_rads_destroy-

     

    There is a switch in SSO configuration 
     

    But in the list of certificates I don’t have mycer.pl :( 

     

    K
    kefflarAuthorAnswer
    New Member
    June 3, 2026

    It seems the problem was with the SSL certificate. The certificate is a wildcard for the main domain, but it cannot be selected in the SSO configuration. I used a Lets Encrypt certificate generated from FortiGate, and I was able to select that one.

    Terms & ConditionsAccessibility statement