Skip to main content
Matt_T
Matt_T
New Member
June 7, 2024
Solved

Using FMG to configure SAML on FGT

  • June 7, 2024
  • 4 replies
  • 2397 views

Hello,

 

I am trying to use our FortiManager to configure SAML (using Azure) for VPN access to our remote FGT's as a "break glass" means of getting access to our FGT should the FMG be offline or the HQ site is destroyed.  The idea is that we can VPN in to the remote FGT and then access the Admin console from the inside rather than have the Admin console facing the outside.

 

I have entered all the Azure url's and certificate per what instructions I have found.  When I go to the VPN Settings and attempt to add the Azure user group I get this error.

 

user/saml/azure/ : datasrc invalid. object: vpn ssl settings authentication-rule.1:groups. detail: <group name>. solution: datasrc invalid

 

I have poured over the user group and I can find nothing that points me to what this error is referring to or how to resolve it.  I understand that the "datasrc is invalid" but I have not found the datasrc that is causing the issue.  I've tried following this link...

 

https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-with-azure-ad-acting-as-saml-idp

 

but I get stopped at the SSL VPN settings.

 

Any bread crumbs would be greatly appreciated.

 

Thanks,

 

Mattt

 

FMG: v7.4.2

FGT: v7.0.9  

4 replies

Anthony_E
Staff
Anthony_E
Staff
June 10, 2024

Hello Matt,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
    srajeswaran
    Staff
    srajeswaran
    Staff
    June 10, 2024

    I can see previous reports of similar issues and they were mostly due to typos/syntax issues. Do you have an active support contract? if so, please open a ticket to get the config validated by our TAC engineers.

      vraev
      Staff
      vraevAnswer
      Staff
      June 12, 2024

      Hi @Matt_T ,

       

      Please review the following page:

      https://community.fortinet.com/t5/FortiManager/Technical-Tip-SAML-SSO-user-group-setup-for-a-managed-FortiGate/ta-p/260718

        Matt_T
        Matt_TAuthor
        New Member
        June 13, 2024

        I'm still not there yet.  but this solution has gotten me closer.  All of the configuration seems to be required via the CLI rather than the GUI.  Now I just have to sort out the VPN server being unreachable.

         

        Terms & ConditionsAccessibility statement