Created on
06-23-2025
10:40 AM
Edited on
07-18-2025
11:43 AM
By
ssanga
This article describes the process of setting up FortiClient to authenticate with a FortiGate IPsec tunnel using Google SAML as an idP.
Configure SAML SSO.
Configure the IPsec Tunnel on the FortiGate.
Configure FortiClient.
An example on how to deploy the configuration via FortiClient EMS may be found in IPsec VPN SAML-based authentication - FortiClient 7.2.0 documentation under Use Case 1, item 3. The following example shows manual configuration settings for an unmanaged FortiClient. Open FortiClient, select the context menu button, and select Add a new connection:
Set Options to Mode Config.
For Phase 1 and Phase 2 settings, configure the settings to match the settings configured on the FortiGate, then select Save:
Select 'connect' on the newly created connection. If all is properly configured, a popup to authenticate with Google will be shown. After completion, the client will be successfully connected to the FortiGate.
If the connection does not succeed, the first thing to check is that the SP and idP URLs exactly match both on Google and the FortiGate.
From there, if the process is still not successful, run the following debug commands and attempt the connection to get log output relevant to why the connection is failing.
diagnose debug reset
diagnose debug application ike -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable
Note:
Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1, FortiClient versions 7.2.5 and 7.4.1 for Mac and Windows, and FortiClient version 7.4.3 for Linux.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.