Description
This article describes how to handle the warning 'Invalid Certificate detected, Are you sure you want to Continue?' when there are changes to the SSL VPN certificate or changes on the SSL VPN server certificate on the client.
In this example, the IDP is Microsoft Azure, and the SP is the FortiGate.
Scope
FortiGate v6.4 and v7.0, FortiClient v6.4 and v7.0.
Solution
The error message is as follows:
The warning shown above after entering the credentials is a warning from the Azure(IDP).
Recent changes may include:
- FQDN is included from the new certificate.
- The FQDN (hostname) has changed.
When connecting to SSL VPN by FQDN (fully qualified domain name), change from public IP address to FQDN on the FortiGate and Azure end
- Under 'config user saml':
config user saml
edit <name>
set entity-id "https://<FQDN>:<Custom SSL VPN port>/remote/saml/metadata"
set single-sign-on-url "https://<FQDN>:<Custom SSL VPN port>/remote/saml/login"
set single-logout-url "https://<FQDN>:<Custom SSL VPN port>/remote/saml/logout"
end
- Navigate to SAML attributes under Username Attributes & Claims in the Azure portal.
Change from IP address to FQDN here, or change the hostname as necessary:
Related documents:
SAML SSO configuration from Web GUI
SAML daemon crashing when ECC or DSA certificates are used
Illustrated explanation of SAML authentication
SAML SSO for Admins - Azure as IdP
SAML SSO configuration from Web GUI
SAML SSO for Admins - JumpCloud as IdP
SAML SSO for Admins - Okta as IdP
Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP)
Configuring FortiGate SSO Administrators with ADFS as SAML IdP
Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1
Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP
