Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎10-21-2024 09:50 PM Edited on ‎10-21-2024 09:51 PM By Staff

Article Id 350855

Technical TIP : SSLVPN Auto Connect with SAML authentication not working on a FortiGate Interface with out public IP and with public IP NAT pool

Description

This article discuss a scenario where Forti client is using auto connect feature as in Save password, auto connect, and always up with SAML authentication. The WAN interface of the FortiGate is not configured with a public IP and a NAT pool has been used to send traffic out.

 

Based on Technical Tip: 'set auth-url' under 'config user saml' has been removed and replaced with 'config us..., the 'set auth-url' command was taken off from 'config user saml' configuration and a new configuration 'config user external-identity-provider' has been put in place after v7.2.8.

 

The main function of the  'set auth-url' is to specify the URL for the SAML Identity Provider (IdP) authentication endpoint.

This URL is where the FortiGate will redirect users to authenticate when they attempt to log in using SAML Single Sign-On (SSO). 
Scope FortiGate v7.2.8 and above.
Solution

As mentioned in the above description SSL VPN auto-connect feature with SAML authentication fails between 40% and 50%.

In this scenario, WAN IP is not a public IP but a NAT IP pool is being used to send traffic out to the internet.

 

Based on the Traffic debugs and session table, it was observed that the SAML traffic generated to access the MS Azure Entra ID is leaving the FortiGate without being NAT.

 

Refer to the below artifacts:

 

session info: proto=6 proto_state=02 duration=0 expire=9 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=14->3/3->0 gwy=0.0.0.0/0.0.0.0
hook=out dir=org act=noop 172.16.119.86:18694->20.190.177.17:443(0.0.0.0:0)  <<<<<<<No NAT
hook=in dir=reply act=noop 20.190.177.17:443->172.16.119.86:18694(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=00af4b24 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

 

Note:

20.190.177.17 is Microsoft Azure IP.

 

As the solution,  this internally generated traffic from FortiGate has to be sourced with a public IP. Hence it is required to define the source IP as the public IP of the NAT IP Pool. The Configuration should look as below:

 

config user external-identity-provider
   edit "msgraph"
      set type ms-graph
      set version v1.0
      set source-ip "X.Y.Z.R"   <-----  X.Y.Z.R is the public IP of the NAT pool.
  next
end
712
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.