FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pachavez
Staff
Staff
Article Id 273317
Description

This article describes how to resolve the issue in SAML authentication when the error shows:

 

'Sorry, but we’re having trouble signing you in.

 

AADSTS700016: Application with identifier 'https://10.230.3.239:1003/remote/saml/metadata/' was not found in the directory 'Default Directory'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.'

Scope

FortiGate v7.2.5) as SP, MS Azure as IdP.

Solution

In this setup, a captive portal for SAML authentication is configured for LAN users in FortiGate.

When a user accesses a website, he will be redirected to the Microsoft authentication page before going to the actual website:

 

ms login page.PNG

 

After a user signs in to the Azure authentication page, the error shows:

 

'Sorry, but we’re having trouble signing you in.

 

AADSTS700016: Application with identifier 'https://10.230.3.239:1003/remote/saml/metadata/' was not found in the directory 'Default Directory'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.'

 

Capture.PNG

 

Double check the entity-id on Azure if it matches the entity-id on the FortiGates.

 

Azure:

azure.png

 

 

FortiGate:

fgt.png

 

 

In this example, on Azure, the entity-id is set to 'HTTPS' while on FortiGate, the entity-id is set to 'HTTP'.

To resolve the issue, it is possible to either change the entity-id on Azure to 'HTTP' to match with FortiGate's or change the entity-id on FortiGate to 'HTTPS' to match with Azure's.

 

Once the entity-id of the Azure and FortiGate match, the SAML LAN user should now be able to authenticate successfully and be redirected to the website.

 

Check the authenticated SAML user on FortiGate.

From GUI:

 

auth list gui.PNG

 

From CLI:

 

FG-VM (root) # dia firewall auth list

10.230.3.100, pearl
src_mac: 00:56:69:76:1b:01
type: fw, id: 0, duration: 45, idled: 0
expire: 300, allow-idle: 300
server: Azure-AD-SAML
packets: in 1340 out 648, bytes: in 1314123 out 165072
group_id: 3
group_name: Azure-FW-Auth

----- 1 listed, 0 filtered ------

 

auth list cli.PNG

 

Related documents:

Outbound firewall authentication with Azure AD as a SAML IdP

Technical Tip: Setting up a captive portal for network authentication using SAML and Azure for LAN u...

Contributors