FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 269600

This article describes the possible reasons for SSL VPN connection setup with SAML authentication and Azure as the Identity provider (IDP) redirecting to the error page 'invalid http request'.

  • Solution
  • The issue can happen if the is a mismatch in IDP or SP URLs addresses between the FortiGate and Microsoft Azure Single Sign-On page. This can be verified by checking the following on a FortiGate CLI session:


config user saml

    edit "azure"

        set entity-id ''

        set single-sign-on-url ''

        set single-logout-url ''

        set idp-entity-id ''

        set idp-single-sign-on-url ''

        set idp-single-logout-url ''




  • Another possible issue is that there is no firewall policy created for the ssl.root. In the case of different VDOM, the interface name is ssl.<vdom name>. With the source including the SAML group that contains the user saml 'azure' or the azure remote group is missing from the SSL VPN authentication rules. For details about configuring the SSL VPN connection with SAML authentication and Azure as the IDP server check the following links: