FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MichaelTorres
Article Id 398229
Description

This article describes a behavior where users correctly configured the Group ID for the SAML integration, however in the authentication does not work in IKEv2.

Scope FortiGate v7.4.7, FortiClient v7.4.3.
Solution

Users configure a SAML integration with a specific group ID.

 

config system global
    set allow-traffic-redirect disable
    set auth-ike-saml-port 10428

        edit "saml"
            set cert "Fortinet_Factory"
            set entity-id "http://x.x.x.x:10428/remote/saml/metadata/"
            set idp-entity-id "https://sts.windows.net/942b80cd-xxxx-42a1-8dcf-4b21dece61ba/"
            set idp-cert "REMOTE_Cert_1"
        next

        edit "azure_group"
            set member "saml"
                config match
                    edit 1
                        set server-name "saml"
                        set group-name "c901e49d-3fff-41b5-910f-xxxxxxxx"

                            edit "vpn_car"
                                set type dynamic
                                set interface "port1"
                                set ike-version 2
                                set mode-cfg enable
                                set ipv4-dns-server1 8.8.8.8
                                set eap enable
                                set eap-identity send-request
                                set assign-ip-from name
                                set ipv4-split-include "10.0.2.0"
                                set ipv4-name "IPSEC_aDD"
                                set client-auto-negotiate enable
                            next

                            edit 8
                                set name "VPN Inbound"
                                set uuid b0bcc592-38c9-51f0-8e1c-ab03d67e8ef2
                                set srcintf "vpn_car"
                                set dstintf "port2"
                                set action accept
                                set srcaddr "IPSEC_aDD"
                                set dstaddr "10.0.2.0"
                                set groups "azure_group"
                            next

                            edit "port1"
                                set ike-saml-server "saml"
                            next

 

In the debugs, the authentication process starts correctly, but it never finishes.

 

[authd_local_saml_auth:5778]: SAML login with UID 'DA715D9413064DD09C155EB6D427BC00'.
[authd_http_prepare_javascript_redir:3942]: https://x.x.x.x:10428/saml?070d048694950f1c

[545] __fnbamd_cfg_get_tac_plus_list_by_group-
[557] __fnbamd_cfg_get_tac_plus_list_by_group-Group 'azure_group'
[606] fnbamd_cfg_get_tac_plus_list-Total tac+ servers to try: 0
[840] fnbamd_cfg_get_ldap_list-

[456] fnbamd_rad_get-vfid=0, name='EAP_PROXY'
[911] fnbamd_cfg_get_radius_list-Loaded RADIUS server 'EAP_PROXY'
[918] fnbamd_cfg_get_radius_list-Total rad servers to try: 1

ep_fnbam_auth_wpa_user 401 -- svc_type='vpn-ikev2', user='DA715D9413064DD09C155EB6D427BC00', vdom='root', intf='FGVMXXXX'
fnbam_add_groups 304 -- Adding user usergroup azure_group
ep_fnbam_auth_wpa_user 500 -- auth_res=4.
ep_fnbam_auth_wpa_user 520 --auth sess added, ses_id=10204863078401

 

There is no output in the fnbamd debugs as explained in the following link, and authentication never works.

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 

 

Solution:

Disable the feature 'use external browser as user-agent for SAML user authentication' in the FortiClient settings.

Open FortiClient, navigate to Remote Access -> Edit IPSec VPN -> Single Sign On Settings -> Disable. Use an external browser as user-agent for SAML user authentication.

 

forticlient feature.png