Technical Tip: AD FS Fields in SAML Configuration Fail to Auto-Populate After FortiGate Reboot

vshtaloja · ‎01-15-2025

Description

This article provides a workaround and a solution for an issue where AD FS fields fail to auto-populate after rebooting the FortiGate, leading to VPN interruptions.

Scope

FortiGate v7.2, v7.4 and 7.6

Solution

After rebooting the FortiGate, AD FS fields in the SAML configuration fail to auto-populate, resulting in disrupted VPN functionality and authentication failures for incoming client VPN connections:

config user saml
    edit "FortiTest"
        set cert "test_saml_certificate"
        set entity-id "https://remote.testsaml-group.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://remote.testsaml-group.com:10443/remote/saml/login/"
        set single-logout-url "https://remote.testsaml-group.com:10443/remote/saml/logout/"
        set idp-entity-id "http://fs.testsaml-group.com/adfs/services/trust"
        set idp-single-sign-on-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-single-logout-url "https://fs.testsaml-group.com/adfs/ls/"
        set idp-cert "Remote_Cert1"
        set digest-method sha1
        set adfs-claim enable
        set user-claim-type upn
        set group-claim-type group
    next
end

Before reboot:

After reboot:

This issue has been resolved in v7.4.8 and v7.6.3.

Workaround:

Disable and re-enable AD FS:

config user saml
edit <name>
unset adfs-claim
next
end

config user saml
edit <name>
set adfs-claim enable
next
end

Technical Tip: AD FS Fields in SAML Configuration Fail to Auto-Populate After FortiGate Reboot

You are leaving our website