Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agomes
Staff
Staff

Created on ‎01-30-2025 04:39 AM Edited on ‎08-19-2025 10:55 PM By Community Manager

Article Id 370414

Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication

Description This article describes how to set up client-to-site IPsec VPN configuration with SAML authentication through the Azure portal.
Scope FortiGate v7.2.0 and later
Solution

Inside Enterprise Applications on the Azure portal, follow the steps below:

  1. Create a new FortiGate VPN SSL-type application.

 

Note: 

Do not be misled by the name of the application, 'FortiGate SSL VPN' - it is applicable for IPsec remote access VPN as well.

 

2025-01-15 13_02_25-Browse Microsoft Entra Gallery - Microsoft Azure and 1 more page - Perfil 1 - Mi.png

 

  1. Rename the application as desired and select the Create button.

2025-01-15 13_03_45-FortiGate SSL VPN - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ Edge.png

 

  1. When the application is created, go into it and add the users who can connect to the VPN.

2025-01-15 13_07_07-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png

 

  1. Select single sign-on in the left menu and then in SAML to start the basic SAML configuration.
  2. Edit the Basic SAML Configuration panel.
  3. Copy the pattern on Identifier ID https://*.FORTIGATE-FQDN.com/remote/saml/metadata, change it with the VPN address, remove https and replace it with HTTP, and add a / into the field. See the example below: http://*.FORTIGATE-FQDN.com/remote/saml/metadata/

 

Do not forget to add the VPN port to the pattern. For example: http://vpnnamehere.com:10443/remote/saml/metadata/

 

Do the same to the reply URL, Sign-on URL, and logout URL. For these three fields, it is not necessary to change https to HTTP and add a / at the end of the URL.

 

2025-01-15 13_22_19-Basic SAML Configuration - Microsoft Azure and 1 more page - Perfil 1 - Microsof.png

 

  1. Inside Attributes & Claims, perform the following steps:
  • Delete the claim user.groups [SEcurityGroups].
  • Add a new claim called username with value user.principalname.
  • Add a new group claim, choose the All groups option, and source attribute as Group ID.
  • In advanced options still inside the group claim select the option 'Customize the name of the group claim' and add the name as 'group' without quotes.

 

The Attribute and Claim configuration need to be like the ones in the following image:

 

2025-01-15 13_31_26-Group Claims - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ Edge.png

 

Come back to the single sign-on configuration.

 

  1. Download the Certificate (Base64) and import it into the FortiGate as a Remote Certificate.

2025-01-15 13_32_44-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png

 

2025-01-15 13_35_34-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

It is possible to rename this certificate in the CLI to make it easier to identify it through the following command:

 

config vpn certificate remote
rename <old_name> to <new_name>

 

  1. In the FortiGate configuration, go to User & Authentication and Authentication Settings. Change the certificate to the wildcard or use the Fortinet_Factory.
  2. Go to Single Sign-on, select Create New, and follow the steps below:
  • In the address field, use the same address that was used in the Azure single sign-on configuration. vpnnamehere.com:10443
  • On the certificate use Fortinet_Factory and select Next.
  • On the identity provider details, select the custom option.
  • See the table below to fill in correct the fields by just copying the information in the fields.

 

2025-01-15 13_47_43-FortiGate IPSEC SAML - Microsoft Azure and 1 more page - Perfil 1 - Microsoft​ E.png


2025-01-15 13_51_49-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  • Use the certificate that was imported before.
  • In the attributes, use the username and groups for the respective fields.

 

2025-01-15 13_54_11-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  1. Create a group inside the User Groups like the picture below.

Use the remote server, the single sign-on server that was created before, and choose the option any for the groups.

 

2025-01-15 13_56_30-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

  1. Create a VPN IPsec tunnel as a dial-up tunnel.

2025-01-15 13_59_08-FortiGate - FGT-CASA and 7 more pages - Personal - Microsoft​ Edge.png

 

Add the following commands inside the phase1-interface configuration:

 

config vpn ipsec phase1-interface

    edit "IPSEC_SAML_HOME"

        set eap enable
        set eap-identity send-request
        set authusrgrp "GR-VPN-SAML"
end

 

  1. Inside the config system global settings, add the command 'set auth-ike-saml-port 9443'. Note that this command is only supported on FortiGate 7.2.0 and later.
  2. Inside the link interface that will receive the connections, add the command to set ike-saml-server to 'SINGLE SIGN-ON PROFILE'.

    config system interface
        edit <name>
            set ike-saml-server <saml_server>
        next
    end

If IPsec is configured on the loopback interface, then the IKE SAML server must also be enabled on the loopback. If the user is internal to the FortiGate and IPsec is configured on the external interface, the command should be enabled on both the internal and external interfaces.

  1. Create a firewall policy as required to control the traffic.

 

SAML-FWpolicy.png


Note: 

Configure the user group either in the Phase 1 VPN settings (authusrgrp) or in the firewall policy, but not both.

 

  1. Configure the remote access profile in the FortiClient and fill in the information as configured in the VPN configuration.

2025-01-15 14_06_29-172.16.2.105 - Remote Desktop Connection.png

 

2025-01-15 14_12_34-Window.png

 

  1. Check the connectivity as per the policy that was created before.
  2. Use the troubleshooting commands below to check the SAML and IKE logs during the connection.

 

   diagnose debug reset

   diagnose debug console timestamp enable

diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is client public IP.

   diagnose debug app authd 255

diagnose debug application samld -1

diagnose debug app fnbamd -1

diagnose debug application eap_proxy -1

diagnose debug application ike -1

diagnose debug enable

 

To stop debugging:

diagnose debug disable

 

Note:

 FortiClient's free version on macOS does not support IKEv2. This will require an EMS license for v7.2.3 and above.

 

For more information, see Technical Tip: FortiClient Mac does not support IKE v2 in IPsec.

 

FortiClient v7.2.4 or later supports SAML with Dial-up IPsec VPN only with IKEv2.

 

Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1, FortiClient versions v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.

 

Remote Gateway in the FortiClient VPN configuration must be FQDN or IP address only and should not include port or '/remote/saml/login'.

 

Related documents:

IPsec VPN SAML-based authentication 

Troubleshooting Tip: Authentication Keepalive causing IPSEC VPN with SAML Authentication to fail

Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local)
12440
Suggest New Article
Article Feedback
Comments
a677579
Staff
Staff
‎01-30-2025 09:07 AM

Very useful and well explained!!! Thanks!

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.