Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MichaelTorres
Staff
Staff

Created on ‎06-25-2025 10:07 PM Edited on ‎10-08-2025 12:58 AM By Staff

Article Id 398229

Troubleshooting Tip: VPN IKEv2 SAML in FortiGate do not work with FortiClient version 7.4.3

Description

This article describes a behavior where users correctly configured the Group ID for the SAML integration, however in the authentication does not work in IKEv2.
Scope FortiGate v7.4.7, FortiClient v7.4.3.
Solution

Users configure a SAML integration with a specific group ID.

 

config system global
    set allow-traffic-redirect disable
    set auth-ike-saml-port 10428

 

config user saml

    edit "saml"
            set cert "Fortinet_Factory"
            set entity-id "http://x.x.x.x:10428/remote/saml/metadata/"
            set idp-entity-id "https://sts.windows.net/942b80cd-xxxx-42a1-8dcf-4b21dece61ba/"
            set idp-cert "REMOTE_Cert_1"
    next

 

config user group

    edit "azure_group"
            set member "saml"
                config match
                    edit 1
                        set server-name "saml"
                        set group-name "c901e49d-3fff-41b5-910f-xxxxxxxx"

 

config vpn ipsec phase1-interface

    edit "vpn_car"
            set type dynamic
            set interface "port1"
            set ike-version 2
            set mode-cfg enable
            set ipv4-dns-server1 8.8.8.8
            set eap enable
            set eap-identity send-request
            set assign-ip-from name
            set ipv4-split-include "10.0.2.0"
            set ipv4-name "IPSEC_aDD"
            set client-auto-negotiate enable
      next

 

config firewall policy

    edit 8
            set name "VPN Inbound"
            set uuid b0bcc592-38c9-51f0-8e1c-ab03d67e8ef2
            set srcintf "vpn_car"
            set dstintf "port2"
            set action accept
            set srcaddr "IPSEC_aDD"
            set dstaddr "10.0.2.0"
            set groups "azure_group"
    next

 

config system interface

    edit "port1"
            set ike-saml-server "saml"
    next

 

In the debugs, the authentication process starts correctly, but it never finishes.

 

[authd_local_saml_auth:5778]: SAML login with UID 'DA715D9413064DD09C155EB6D427BC00'.
[authd_http_prepare_javascript_redir:3942]: https://x.x.x.x:10428/saml?070d048694950f1c

[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'azure_group'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-

[456] fnbamd_rad_get-vfid=0, name='EAP_PROXY'
[911] fnbamd_cfg_get_radius_list-Loaded RADIUS server 'EAP_PROXY'
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1

ep_fnbam_auth_wpa_user 401 -- svc_type='vpn-ikev2', user='DA715D9413064DD09C155EB6D427BC00', vdom='root', intf='FGVMXXXX'
fnbam_add_groups 304 -- Adding user usergroup azure_group
ep_fnbam_auth_wpa_user 500 -- auth_res=4.
ep_fnbam_auth_wpa_user 520 --auth sess added, ses_id=10204863078401

 

There is no output in the fnbamd debugs as explained in the following link, and authentication never works.

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 

 

Solution:

Disable the feature 'use external browser as user-agent for SAML user authentication' in the FortiClient settings.

Open FortiClient, navigate to Remote Access -> Edit IPSec VPN -> Single Sign On Settings -> Disable. Use an external browser as user-agent for SAML user authentication.

 

forticlient feature.png
621
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.