|
Azure Multi-factor authentication can be enabled for SSL VPN with SAML authentication. This can be done by enabling multi-factor authentication on Azure.
No additional settings are required on FortiGate. However, it is important to check whether the authentication timeout for remote servers is long enough for the user to authorize the challenge (MFA).
The default setting is configured for 5 seconds. This setting is recommended to be changed to 60 seconds as per the commands below:
config system global
set remoteauthtimeout 60
end
The MFA window will pop out after entering a credential, as the screenshot below.
CLI:
diagnose debug disable
diagnose debug reset
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <--- Public IP of test PC.
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug enable
However, if there is still a timeout in SAML debug with the below output:
[249:root:1d]fsv_rmt_saml_login_cb:111 magic id: magic=6-5ccdgb9874tec5f4
[249:root:1d]fsv_rmt_saml_login_cb:138 idx 6 epoch: 5ccdgb9874tec5f4
[249:root:1d]fsv_rmt_saml_login_cb:154 wrong vdom (0:0) or time expired.
[249:root:1d]saml login [249:29] SAML_ERROR: Error occurred during remote login 'wrong vdom (0:0) or time expired'
[249:root:1d]Destroy sconn 0x6e88825450, connSize=0. (root)
[249:root:1d]SSL state:warning close notify (x.x.x.x)
[250:root:1d]allocSSLConn:312 sconn 0x6e88825450 (0:root)
[250:root:1d]SSL state:before SSL initialization (x.x.x.x)
[250:root:1d]SSL state:fatal decode error (x.x.x.x)
[250:root:1d]SSL state:error:(null)((x.x.x.x)
[250:root:1d]SSL_accept failed, 1:unexpected eof while reading
[250:root:1d]Destroy sconn 0x6e88825450, connSize=0. (root)
This might not be caused by FortiGate, and the timeout might be controlled by the SAML provider or FortiClient timeout settings.
Make sure that the timeout settings in Azure and FortiClient are configured correctly.
In some other cases, after entering SAML credentials and completing MFA, the FortiClient shows as 'connected' but then immediately ends the session.
The following output is generated from the SAML debug:
[273:root:e0]fsv_saml_login_response:490 Got group username: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
[273:root:e0]stmt: group
[273:root:e0]fsv_saml_login_response:490 Got group username: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
[273:root:e0]fsv_saml_login_response:514 No user name info in SAML response. Please check saml configuration.
[273:root:e0]fsv_saml_login_resp_cb:163 SAML response error: 3.
[273:root:e0]req: /remote/saml/logout?SAMLResponse=abcdefgh
[273:root:e0]fsv_rmt_saml_logout_cb:35 got SAML logout request.
[273:root:e0]rmt_web_auth_info_parser_common:492 no session id in auth info
[273:root:e0]rmt_web_access_check:760 access failed, uri=[/remote/logout],ret=4103,
To resolve this issue, ensure that the username attribute in the SAML configuration is set to the same value on both the FortiGate and Azure side.
config user saml
set user-name "username" <----- The same attribute value as in Azure configuration.
end
Documents to configure MFA for SSL VPN with Azure SAML authentication:
Enable per-user Microsoft Entra multifactor authentication to secure sign-in events
Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication
|
