Technical Tip: AD FS Fields in SAML Configuration Fail to Auto-Populate After FortiGate Reboot

vshtaloja · ‎01-15-2025

Description

This article provides a workaround and a solution for an issue where AD FS fields fail to auto-populate after rebooting the FortiGate, leading to VPN interruptions.

Scope

FortiGate v7.2, v7.4 and 7.6

Solution

After rebooting the FortiGate, AD FS fields in the SAML configuration fail to auto-populate, resulting in disrupted VPN functionality and authentication failures for incoming client VPN connections:

config user saml
    edit "FortiTest"
        set cert "test_saml_certificate"
        set entity-id "https://remote.testsaml-group.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://remote.testsaml-group.com:10443/remote/saml/login/"
        set single-logout-url "https://remote.testsaml-group.com:10443/remote/saml/logout/"
        set idp-entity-id "http://fs.testsaml-group.com/adfs/services/trust"
        set idp-single-sign-on-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-single-logout-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-cert "Remote_Cert1"
        set digest-method sha1
        set adfs-claim enable
        set user-claim-type upn
        set group-claim-type group
    next
end

Before reboot:

After reboot:

This issue has been resolved in v7.4.8 and v7.6.3 (scheduled to release in April, 2025). These timelines for firmware release are estimates and may be subject to change.

Workaround.

Disable and re-enable AD FS:

config user saml
edit <name>
unset adfs-claim
next
end

config user saml
edit <name>
set adfs-claim enable
next
end

Technical Tip: AD FS Fields in SAML Configuration Fail to Auto-Populate After FortiGate Reboot

You are leaving our website