This article describes how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.

The below steps show how to create an SSL VPN with Azure SAML authentication and optional steps for multiple SSL VPN Realms.
By default, there is a default connection with no realm. If this default connection is also using SAML, it is required to configure another Realm for the default (no realm) to avoid conflict with other realms.

1. Configure Azure here as SAML authentication IdP.

1. Login to Azure Portal -> Microsoft Entra ID.
2. Then, go to Users and create new users.
3. After that, go to Groups.
   
   

Note: Remember to assign 'owner and member' and copy the Group Object ID, which will be used later when configuring the FortiGate user group.

4. Now, go to Enterprise applications. New application -> Search for 'FortiGate' -> Select FortiGate SSL VPN and give it a name.

5. Assign Users and groups -> Add user/group.
    

    

6. Create Single sign-on SAML.

• Define the Basic SAML Configuration parameters:
  Identifier (Entity ID): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata
  Reply URL (Assertion consumer Service URL): https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
  Sign-on URL: https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login
  Relay State: Optional
  Logout URL: FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout
  
  

Define Attributes & Claims -> Edit.


Add a New claim.

• Edit the existing Group claim to add the Name 'group' under Advanced options -> Customize the name of the group claim.
  
   

• If the Security Group claim already exists, it is possible to edit the Claim Name to 'group'.

7. Download the 'Certificate (Based64)'.

Note:

Remember to re-download this certificate if making changes to the FQDN.

8. Copy down the information from item 4 - Set up FortiGate SSL VPN.
   
   

   B. Configure FortiGate SSL VPN with SAML authentication.

1. Log in to FortiGate WebUI -> System -> Certificates -> Import -> Remote Certificate -> and upload the downloaded SAML Certificate (Base64).

• Optional: May change the imported remote certificate to make sense of the certificate name (default imported naming 'REMOTE_Cert#' where # is a number [1-9]).
  

CLI command:

conf vpn certificate remote
show
rename REMOTE_Cert# to AzureSAML-CA
end

2. Configure the remote authentication timeout value as needed
   

config system global
    set remoteauthtimeout 60
end

One of the issues that has been reported missing the configuration set remoteauthtimeout 60 is, users have to try login attempts multiple times before a successful connection, and after the configuration, the issueis  resolved.

3. Create SAML IDP:

CLI command:

conf user saml
    edit “azure-name”
        set cert "SSL-VPN settings assigned Server Certificate"
        set entity-id "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/metadata"
        set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"
        set single-logout-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/logout"
        set idp-entity-id "<Azure AD identifier>"
        set idp-single-sign-on-url "<Login URL>"
        set idp-single-logout-url "<Logout URL>"
        set idp-cert "<Certificate imported earlier>"
        set user-name "username"
        set group-name "group"
    next
end

3. Create SAML Group.
   CLI command:

    

conf user group
    edit “saml-group01”
        set member “azure-name”
            config match
                edit 0
                    set server-name “azure-name”
                    set group-name <Group Object id>     Note: from Subject A item steps 2.
                next
            end
     next
end

4. Firewall policy for SSL VPN:
   
   

    

    C. Optional: May create Multi SSL VPN Realms with SAML authentication.

Requirement: Create multiple SAML users and groups (refer to A. Configure Azure as SAML authentication IDP steps).

1. Log in to FortiGate WebUI -> System Feature Visibility -> Enable 'SSL-VPN Realms' -> Apply.
2. Go to VPN -> SSL-VPN Realms -> Create new  (Note: It is possible to create multiple realms, for example, FullTunnel and SplitTunnel).
   
   

    

3. Go to VPN -> SSL-VPN Portals -> Create 2 new portals (Full Tunnel and Split Tunnel accordingly).
   • May separate them with the different SSL VPN IP subnets:
     
     

      

      

      

4. Go to VPN -> SSL VPN Settings and make sure to have a similar output as the below screenshot:
   
   
   
5. Firewall policy for SSL VPN with multiple realms:
   
   

    D. FortiClient configuration and testing:

FortiClient setup.

1. SSL VPN with SAML SSO.
   
   

    

   

    

2. SSL VPN realms with SAML SSO:
   
   

    

   

    

   
   

To perform a debug, run these debugging commands in FortiGate's command line interface (CLI) or while connected to FortiGate via SSH:

Related documents:

Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP

Configuration for Fortiauthenticator as the SAML server (IDP) 
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...

Troubleshooting Tip: SSL VPN Troubleshooting

Technical Tip: How to read SAML Debug output