Description

This article describes how to configure a Dial-up IPsec VPN with Microsoft Entra ID SAML authentication.

Scope

FortiGate v7.6.1 and FortiClient v7.2.4 or later.

Solution

FortiClient v7.2.4 or later supports SAML with Dial-up IPsec VPN only with IKEv2.

The steps below show how to create a Dial-up IPsec VPN with Microsoft Entra ID (formerly known as Azure AD) SAML.

1. Configure the auth-ike-saml-port in the FortiGate as shown below:

config system global
    set auth-ike-saml-port 9443
end

The default TCP port for IKE SAML is 1001.

2. Configure the VPN certificate under user settings:

config user setting
    set auth-cert "Fortinet_Factory"
end

On the GUI, navigate to User & Authentication -> Authentication Settings:

3. On the GUI, navigate to User & Authentication -> Single Sign-on, select 'Create new'. Configure SAML on the FortiGate and use the custom ike-saml-port in the address field:

4. Create an Enterprise application in Microsoft Entra ID. Follow the guide below to create this enterprise application: Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
   
   

5. The Service provider configuration from Step 3 should be populated in the SAML Application in Azure, as shown in the screenshots below:

6. Identity provider configuration from Azure should be populated in the SAML configuration on the FortiGate, as shown below:

Note:

The Azure links for 'Assertion consumer service URL and single logout service URL' are likely to be the same, but it has to be confirmed.

7. SAML configuration on the FortiGate should look like this:

config user saml
    edit "entra-id-saml"
        set cert "Fortinet_Factory"
        set entity-id http://10.21.7.128:9443/remote/saml/metadata/
        set single-sign-on-url https://10.21.7.128:9443/remote/saml/login
        set single-logout-url https://10.21.7.128:9443/remote/saml/logout
        set idp-entity-id https://sts.windows.net/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/
        set idp-single-sign-on-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
        set idp-single-logout-url https://login.microsoftonline.com/347b5a44-8e8a-4062-b9b9-c9c7edd2bbaf/saml2
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next
end

8. Configure ike-saml-server under the listening interface:

config system interface
    edit "port2"
        set ike-saml-server "entra-id-saml"
    next
end

9. The ike-saml-server setting enables a configured SAML server to listen on a FortiGate interface for SAML authentication requests from FortiClient remote access IPsec VPN clients.
   
   

Currently, this setting can only be configured in the CLI as follows:

config system interface
    edit <interface name> <----- WAN Interface.
        set ike-saml-server <saml_server name>
    next
end

10. Configure the user group with the SAML server:

config user group
    edit "ike-saml"
        set member "entra-id-saml"
    next
end 

11. Configure Dial-up IPsec VPN:

config vpn ipsec phase1-interface
    edit "saml-vpn"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal des-sha1 des-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set authusrgrp "ike-saml"
        set ipv4-start-ip 10.1.1.1
        set ipv4-end-ip 10.1.1.254
        set dns-mode auto
        set psksecret ENC CmD7ySUqMXY6GCRYGsxQr7FQ8HY2H40+g0Ywimpcxlqgi4m7sYX4ws5d+eMM0YziovFdilnwJP/k5bM/Tdcomj4d2u/umne03oq71aekERi4xOUcJk+yh1KKgmgoA2ek9EX8L6egnByAFqynQIIzufV0bwKz+1DiXl+T3A3MiZ+cA7ePRL5WeAgUXP4wfEx+4FEoKQ==
        set dpd-retryinterval 60
    next
end

The above highlighted eap and authusrgrp settings can only be available through CLI.

config vpn ipsec phase2-interface
    edit "saml-vpn"
        set phase1name "saml-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

12. Configure firewall policy:
    
    config firewall policy
        edit 0
            set name "saml-vpn"
            set srcintf "saml-vpn"
            set dstintf "port2"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Note:

Configure the user group either in the firewall policy or in the Phase 1 VPN settings (authusrgrp), but not both.

13. Configure the remote authentication timeout value as needed:
    
    config system global
        set remoteauthtimeout 120
    end

On the user machine, Configure IPsec VPN with SSO for VPN tunnel enabled and customize the port as set in step 1.

Note:

Remote Gateway must be an FQDN or IP address only and should not include the SAML port or '/remote/saml/login'.

If an untrusted certificate is used in Step 2, FortiClient will show this warning:

Users can now successfully log in using Entra ID SAML to the Dial-up IPsec VPN.

Note:

Enabling IPsec with SAML from an internal network, like the LAN or the Wi-Fi SSID, is also possible. Make sure to set the SAML server on that port so it enables SAML request listening on that specific port.

config system interface
    edit <SSID or LAN interface name>
        set ike-saml-server <saml server name>
end

Note: 

IKE with SAML authentication does not support multiple SAML servers on the same interface, as the SAML server is directly bound to the interface and allows only one instance to be configured.

FortiClient macOS support for IKEv2 requires v7.4.3 for the free client: Technical Tip: FortiClient Mac (macOS) IPsec VPN IKEv2 support.

Troubleshooting:

Execute the following commands to enable debugging on the FortiGate, then reproduce the issue if there is one:

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug enable

To stop the debug, run the following commands:

   diagnose debug disable

   diagnose debug reset

Sample output of debugging:

Username and group will be sent once authentication completes:

samld_send_common_reply [99]: Attr: 17, 31, magic=0005078391918893
samld_send_common_reply [99]: Attr: 18, 33, 2025-10-03T07:33:00.084Z
samld_send_common_reply [95]: Attr: 10, 99, 'http://schemas.microsoft.com/identity/claims/tenantid' '267a0bd3-27c7-43b6-91cc-2b7b3566d206'
samld_send_common_reply [95]: Attr: 10, 107, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '7edcc834-0b48-407f-a149-0c430dff9a63'
samld_send_common_reply [95]: Attr: 10, 72, 'http://schemas.microsoft.com/identity/claims/displayname' 'User 1'
samld_send_common_reply [95]: Attr: 10, 132, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/267a0bd3-27c7-43b6-91cc-2b7b3566d206/'
samld_send_common_reply [95]: Attr: 10, 146, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
samld_send_common_reply [95]: Attr: 10, 78, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'User1'
samld_send_common_reply [95]: Attr: 10, 75, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'Test'
samld_send_common_reply [95]: Attr: 10, 96, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'user1@csn339.onmicrosoft.com'
samld_send_common_reply [95]: Attr: 10, 46, 'username' 'user1@csn339.onmicrosoft.com' <- user account
samld_send_common_reply [95]: Attr: 10, 52, 'group' '0c2539c3-e5e9-4caa-a5bc-f64370d62e7b' <- group, in this sample is the object ID of the user group
samld_send_common_reply [99]: Attr: 11, 1097, https://login.microsoftonline.com/......
samld_send_common_reply [119]: Sent resp: 15040, pid=2055, job_id=563593.
ike V=root:0: comes 124.120.105.176:500->10.47.1.243:500,ifindex=3,vrf=0,len=466.... <- After SAML authentication is completed, the client will send packets to establish the IPsec tunnel. Therefore, the IKE debug will be triggered after SAML authentication.

For detailed troubleshooting steps, refer to Technical Tip: Troubleshoot IPsec SAML Dial-Up tunnel.

Note:

Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.4.9 and v7.6.1, FortiClient versions 7.2.5 and 7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux: Technical Tip: FortiClient SAML Authentication Configuration Demystified.

Starting from FortiGate versions 7.2.12, 7.4.9, and 7.6.4, the device verifies the signature of SAML response messages. This enhancement is detailed in the SAML certificate verification section of the Release Notes: SAML certificate verification.

Additional Note:

SAML certificate verification 

This enhancement also applies to FIPS-CC CVE-Patched builds for FortiOS v7.2 (for example, builds beginning with FIPS-CC-72-5 and later).

After upgrading, SAML authentication may fail when FortiGate is configured as the Service Provider, such as in IPsec/SSL VPN, administrator SSO login, or SAML captive portal scenarios.

To comply with the updated verification requirement, both the SAML assertion and the SAML response must be signed.

For detailed troubleshooting steps and configuration guidance, refer to the following article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

Related documents:

Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients