Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agomes
Staff
Staff

Created on ‎01-30-2025 04:39 AM Edited on ‎12-10-2025 06:27 AM By Community Manager

Article Id 370414

Technical Tip: Configuring a dial-up IPsec VPN with Azure SAML authentication

Description This article describes how to set up a dial-up IPsec VPN configuration with SAML authentication through the Azure portal.
Scope FortiGate v7.2.0 and later.
Solution

Inside Enterprise Applications on the Azure portal, follow the steps below:

  1. Create a new FortiGate VPN SSL-type application.

 

Note: 

Do not be misled by the name of the application, 'FortiGate SSL VPN' - it is applicable for IPsec remote access VPN as well.

 

2025-01-15 13_02_25-Browse Microsoft Entra Gallery - Microsoft Azure and 1 more page - Perfil 1 - Mi.png

 

  1. Rename the application as desired and select the Create button.

2025-01-15 13_03_45-FortiGate SSL VPN - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ Edge.png

 

  1. When the application is created, go into it and add the users who can connect to the VPN.

2025-01-15 13_07_07-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png

 

  1. Select single sign-on in the left menu and then in SAML to start the basic SAML configuration.
  2. Edit the Basic SAML Configuration panel.
  3. Copy the pattern on Identifier ID https://*.FORTIGATE-FQDN.com/remote/saml/metadata, change it with the VPN address, remove https, replace it with HTTP, and add a / into the field. See the example below: http://*.FORTIGATE-FQDN.com/remote/saml/metadata/.

 

Do not forget to add the VPN port to the pattern. For example: http://vpnnamehere.com:10443/remote/saml/metadata/.

 

Do the same to the reply URL, Sign-on URL, and logout URL. For these three fields, it is not necessary to change https to HTTP and add a / at the end of the URL.

 

2025-01-15 13_22_19-Basic SAML Configuration - Microsoft Azure and 1 more page - Perfil 1 - Microsof.png

 

  1. Inside Attributes & Claims, perform the following steps:
  • Delete the claim user.groups [SEcurityGroups].
  • Add a new claim called username with value user.principalname.
  • Add a new group claim, choose the All groups option, and the source attribute as Group ID.
  • In advanced options still inside the group claim, select the option 'Customize the name of the group claim' and add the name as 'group' without quotes.

 

The Attribute and Claim configuration needs to be like the ones in the following image:

 

2025-01-15 13_31_26-Group Claims - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ Edge.png

 

Come back to the single sign-on configuration.

 

  1. Download the Certificate (Base64) and import it into the FortiGate as a Remote Certificate.

2025-01-15 13_32_44-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png

 

2025-01-15 13_35_34-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

It is possible to rename this certificate in the CLI to make it easier to identify it through the following command:

 

config vpn certificate remote
rename <old_name> to <new_name>

 

  1. In the FortiGate configuration, go to User & Authentication and Authentication Settings. Change the certificate to the wildcard or use the Fortinet_Factory.

  2. Go to Single Sign-on, select Create New, and follow the steps below:
  • In the address field, use the same address that was used in the Azure single sign-on configuration. vpnnamehere.com:10443
  • On the certificate, use Fortinet_Factory and select Next.
  • On the identity provider details, select the custom option.
  • See the table below to fill in the correct fields by just copying the information into the fields.

 

2025-01-15 13_47_43-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png


2025-01-15 13_51_49-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  • Use the certificate that was imported before.
  • In the attributes, use the username and groups for the respective fields.

 

2025-01-15 13_54_11-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  1. Create a group inside the User Groups, like the picture below.

Use the remote server, the single sign-on server that was created before, and choose the option any for the groups.

 

2025-01-15 13_56_30-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  1. Create a VPN IPsec tunnel as a dial-up tunnel.

2025-01-15 13_59_08-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

Add the following commands inside the phase1-interface configuration:

 

config vpn ipsec phase1-interface

    edit "IPSEC_SAML_HOME"

        set eap enable
        set eap-identity send-request
        set authusrgrp "GR-VPN-SAML"
end

 

  1. The daemon authd has been updated to support SAML authentication and now listens for local-in traffic from FortiClient on the TCP port defined in the auth-ike-saml-port setting (range 0–65535, default 1001). At this time, this setting can only be configured through the CLI, from version 7.2.x onwards:


config system global
    set auth-ike-saml-port <integer>
end

 

  1. Inside the link interface that will receive the connections, add the command to set ike-saml-server to 'SINGLE SIGN-ON PROFILE'.

 

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

 

If IPsec is configured on the loopback interface, then the IKE SAML server must also be enabled on the loopback. If the user is internal to the FortiGate and IPsec is configured on the external interface, the command should be enabled on both the internal and external interfaces.

Note: The above settings are important, if the ike-saml-server is not configured on the interface, running the flow debug on the SAML traffic destined towards the port defined in 'set auth-ike-saml-port <integer>' will cause the following error to appear as the SAML traffic is destined to a local interface on the FortiGate and without 'ike-saml-server' this port will be implicitly blocked on the interface traffic arrives on.

 

The message is: 'policy-4294967295 is matched, act-drop'.
The message is: 'iprope_in_check() check failed on policy 0, drop'.

 

On the client, the SAML authentication page keeps loading for a while and eventually displays a timeout message.

 

  1. Create a firewall policy as required to control the traffic.

 

SAML-FWpolicy.png

 

Note: 

Configure the user group either in the Phase 1 VPN settings (authusrgrp) or in the firewall policy, but not both.

For additional information, consult the FortiGate Administration Guide, which provides detailed instructions on configuring and using User Groups for IPsec VPNs: Using single or multiple user groups for user authentication 

 

  1. Configure the remote access profile in the FortiClient and fill in the information as configured in the VPN configuration.
(Note: For certain configurations of IPsec VPN with SAML (or for compatibility reasons), ensure that the option 'Use external browser as user‑agent' in FortiClient is unchecked. This ensures that FortiClient uses its built‑in browser component rather than redirecting to the system default browser.

2025-01-15 14_06_29-172.16.2.105 - Remote Desktop Connection.png

2025-01-15 14_12_34-Window.png

 

  1. Check the connectivity as per the policy that was created before.
  2. Use the troubleshooting commands below to check the SAML and IKE logs during the connection.

 

   diagnose debug reset

   diagnose debug console timestamp enable

diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is client public IP.

   diagnose debug app authd 255

diagnose debug application samld -1

diagnose debug app fnbamd -1

diagnose debug application eap_proxy -1

diagnose debug application ike -1

diagnose debug enable

 

To stop debugging:

diagnose debug disable

 

Notes:

  • FortiClient's free version on macOS does not support IKEv2. This will require an EMS license for v7.2.3 and above. For more information, see Technical Tip: FortiClient Mac does not support IKE v2 in IPsec.
  • FortiClient v7.2.4 or later supports SAML with Dial-up IPsec VPN. This requires IKEv2.
  • Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.4.9 and v7.6.1, FortiClient versions v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.
  • Remote Gateway in the FortiClient VPN configuration must be FQDN or IP address only and should not include port or '/remote/saml/login'.
  • After upgrading FortiGate to v7.2.12, v7.4.9, or v7.6.4, the Azure IDP configuration must be updated to 'Sign SAML response and assertion, see Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

 

Related documents:

IPsec VPN SAML-based authentication 

Troubleshooting Tip: Authentication Keepalive causing IPSEC VPN with SAML Authentication to fail

Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local)

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 
21427
Suggest New Article
Article Feedback
Comments
a677579
Staff
Staff
‎01-30-2025 09:07 AM

Very useful and well explained!!! Thanks!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.