Skip to main content
gsommariva
gsommariva
Visitor III
March 3, 2025
Question

VPN SSL SAML "Assertion consumer service URL" set up is ignored, Forigate VPN client fails

  • March 3, 2025
  • 1 reply
  • 1999 views

Despite having set "Assertion consumer service URL" in  "config user saml" as "https://FQDN:PORT/remote/login?realm=REALM", 

authentication call always shows:

AssertionConsumerServiceURL="https://FQDN:PORT/remote/saml/login">

 

The result is that after successful azure authentication, Fortinet VPN SSL clint tries to connect to:

https://FQDN:PORT/remote/saml/login"

and it fails because the Fortigate does not respond to it.

 

The correct URL is: https://FQDN:PORT/remote/login?realm=REALM

 

 

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
March 3, 2025

hi,

i dont think you need to specify for which realm to use ACS URL because SSLVPN does not run for a specific realm.

the separation of config is done with the remote gateway you configure in the FortiClient SSLVPN Profile on the workstation, e.g. https://FQDN:PORT/REALM and then the usergroup has the SAML User/config in it for that specific REALM.

"jack of all trades, master of none"
gsommariva
gsommarivaAuthor
Visitor III
March 3, 2025

hi,

 

After the successful login Azure redirects to https://FQDN:PORT/remote/saml/login" and the Fortigate does not respond.

 

Fortigate responds to https://FQDN:PORT/REALM 

 

 

funkylicious
SuperUser
funkylicious
SuperUser
March 3, 2025

it will always respond/open to https://fqdn:port/realm but on the first link, the single-sign-on-url what message do you get ?

you can also start a debug on the fortigate in order to get more details.

 

diag debug enable

diagnose debug application samld -1

diagnose debug application sslvpn -1

 

also, 

https://docs.fortinet.com/document/fortigate-public-cloud/7.6.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-with-entra-id-acting-as-saml-idp 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812 

 

L.E. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Companion-for-troubleshooting-SSL-VPN-with/ta-p/217719 

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement