The below steps show how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms. By default, there is a default connection with no realm. If this default connection is also using SAML, it is required to configure another Realm for the default (no realm) to avoid conflict with other realms.
- Configure Azure here as SAML authentication IdP.
- Log in to the Azure Portal -> Microsoft Entra ID.
- Then, go to Users and create new users.
- After that, go to Groups.
Note: Remember to assign 'owner and member' and copy the Group Object ID, which will be used later when configuring the FortiGate user group.
- Now, go to Enterprise applications. New application -> Search for 'FortiGate' -> Select FortiGate SSL VPN and give it a name.

- Assign Users and groups -> Add user/group.

- Create a Single sign-on SAML.
- Define the Basic SAML Configuration parameters:
Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata. Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login. Sign-on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login. Relay State: Optional. Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout.
Define Attributes & Claims -> Edit.
 Add a New claim.
- Edit the existing Group claim to add the Name 'group' under Advanced options -> Customize the name of the group claim.

- If the Security Group claim already exists, it is possible to edit the Claim Name to 'group'.


- Download the 'Certificate (Based64)'.
Note:
Remember to re-download this certificate if making changes to the FQDN.

- Copy down the information from item 4 - Set up FortiGate SSL VPN.

B. Configure FortiGate SSL VPN with SAML authentication.
- Log in to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).
- Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9]).
CLI command:
config vpn certificate remote show rename REMOTE_Cert# to AzureSAML-CA end
- Configure the remote authentication timeout value as needed.
config system global set remoteauthtimeout 60 end
One of the issues that has been reported is that the configuration set remoteauthtimeout 60, users have to try login attempts multiple times before a successful connection, and after the configuration, the issue is resolved.
- Create SAML IDP:
CLI command:
config user saml edit “azure-name” set cert "SSL-VPN settings assigned Server Certificate" set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata" set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login" set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout" set idp-entity-id "<Azure AD identifier>" set idp-single-sign-on-url "<Login URL>" set idp-single-logout-url "<Logout URL>" set idp-cert "<Certificate imported earlier>" set user-name "username" set group-name "group" next end
- Create SAML Group.
CLI command:
config user group edit “saml-group01” set member “azure-name” config match edit 0 set server-name “azure-name” set group-name <Group Object id> Note: from Subject A item steps 2. next end next end
-
Firewall policy for SSL VPN:

C. Optional: May create Multi SSL VPN Realms with SAML authentication.
Requirement: Create multiple SAML users and groups (refer to A. Configure Azure as SAML authentication IDP steps).
- Log in to FortiGate WebUI -> System Feature Visibility -> Enable 'SSL-VPN Realms' -> Apply.
- Go to VPN -> SSL-VPN Realms -> Create new (Note: It is possible to create multiple realms, for example, FullTunnel and SplitTunnel).
- Go to VPN -> SSL-VPN Portals -> Create 2 new portals (Full Tunnel and Split Tunnel accordingly).
- May separate them with the different SSL VPN IP subnets:
- Go to VPN -> SSL VPN Settings and make sure to have a similar output as the screenshot below:

- Firewall policy for SSL VPN with multiple realms:

D. FortiClient configuration and testing:
FortiClient setup.
- SSL VPN with SAML SSO.
- SSL VPN realms with SAML SSO:

To perform a debug, run these debugging commands in FortiGate's command line interface (CLI) or while connected to FortiGate via SSH:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug enable
To stop debug:
diagnose debug disable diagnose debug reset
Related documents:
Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP
Configuration for Fortiauthenticator as the SAML server (IDP) Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...
Troubleshooting Tip: SSL VPN Troubleshooting
Technical Tip: How to read SAML Debug output
Troubleshooting Tip: How to troubleshoot SAML authentication
|