Technical Tip: Unable to log in to FortiGate from FortiCloud SSO due to APIPA IP address

wcruvinel · ‎11-28-2025

Description

This article describes a FortiCloud Single Sign-On (SSO) issue in which users are unable to log in to FortiGate via Remote access function from Asset Management or FortiGate Cloud portal due to an incorrect redirection URL.

Scope

FortiGate v7.6.4 with FortiCloud SSO configured.

Solution

Issue Summary:

When attempting to log in using the 'Sign in with FortiCloud' option from Remote Access function, the SSO redirection fails and displays an error such as 'This site can't be reached.'

Root Cause:

The FortiGate device generates a SAML with AuthenRequest and an AssertionConsumerServiceURL pointing to a link-local address (e.g., https://169.254.x.x/saml/?forticloud-acs) rather than the proper FortiCloud FQDN. Because link-local addresses are non-routable, this prevents the SAML authentication process from completing.

Expected Behavior:

The redirect URL should point to the FortiGate's registered FQDN under FortiCloud, for example:

https://<hostname>.device.fortigate.forticloud.com/saml/?forticloud-acs

Reproduction Steps:

Configure FortiCloud SSO on a FortiGate running FortiOS v7.6.4.
Select Remote Access from FortiGate Cloud or Asset Management portal.
Select Sign in with FortiCloud.
Observe that the redirect fails due to an invalid IP-based URL.

Workaround:

Accessing FortiGate using the 'Cloud access' option instead. Refer to this document for more information Accessing a FortiGate | FortiGate Cloud 25.4.0 | Fortinet Document Library.

Resolution:
The issue is resolved in FortiOS v7.6.5, v8.0.0.

Technical Tip: Unable to log in to FortiGate from FortiCloud SSO due to APIPA IP address

You are leaving our website