• Solution

• The issue can happen if the is a mismatch in IDP or SP URLs addresses between the FortiGate and Microsoft Azure Single Sign-On page. This can be verified by checking the following on a FortiGate CLI session and comapring it with the SAML SSO setting on Azure portal.

config user saml

    edit "azure"

        set entity-id ''

        set single-sign-on-url ''

        set single-logout-url ''

        set idp-entity-id ''

        set idp-single-sign-on-url ''

        set idp-single-logout-url ''

    next

end

• Another possible issue is that there is no firewall policy created for the ssl.root. In the case of different VDOM, the interface name is ssl.<vdom name>. The source including the SAML group that contains the user saml 'azure' or the Azure remote group is missing from the SSL VPN authentication rules.

• For details about configuring the SSL VPN connection with SAML authentication and Azure as the IDP server check the following links:

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial

Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP