Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bizonek
New Contributor

SSLVPN with Azure SAML

Hi

 

My test environment is: FortiGate 61E with firmware 6.4.4.

I have successfully configured SSO for administrators using Fabric Setup and this part works perfectly. Now I would like to continue this successful story by adding SAML authentication to SSL VPN for other mortals.

 

My configuration: config user saml

    edit "ssl-azure-saml"         set cert "Fortinet_Factory"         set entity-id "http://_____IP:PORT_____/metadata/"         set single-sign-on-url "https://_____IP:PORT_____/saml/?acs"         set single-logout-url "https://_____IP:PORT_____/saml/?sls"         set idp-entity-id "https://sts.windows.net/___IdP_id______/"         set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"         set idp-cert "REMOTE_Cert_2"         set user-name "username"     next end config user group     edit "saml_grp"         set member "ssl-azure-saml"     next end config vpn ssl settings     set ssl-min-proto-ver tls1-1     set servercert "Fortinet_Factory"     set idle-timeout 0     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 20443     set source-interface "wan1"     set source-address "all"     set source-address6 "all"     set default-portal "No_Access"     config authentication-rule         edit 1             set groups "VPN_Client"             set portal "full-access"         next         edit 2             set groups "saml_grp"             set portal "full-access"         next     end end[

 

config system global     set remoteauthtimeout 60 end

/code]

 

But when I try to connect using SAML I get error.

 

Please help :)

7 REPLIES 7
bizonek
New Contributor

So the problem was with endpoints

 

config user saml     edit "ssl-azure-saml"         set cert "Fortinet_Factory"         set entity-id "https://_____IP:VPN_PORT_____/remote/saml/metadata"

        set single-sign-on-url "https://_____IP:VPN_PORT_____/remote/saml/login"         set single-logout-url "https://_____IP:VPN_PORT_____/remote/saml/logout"         set idp-entity-id "https://sts.windows.net/___IdP_id______/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"         set idp-cert "REMOTE_Cert_2"   <----- downloaded cert was a different that was expected, I get it from SAML request         set user-name "username"     next end

 

I did not added a group saml to correct policy (if you open a web access page and there is no "Single Sign-On" then problem is with Policy) - WTF

 

Helpful links

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial#configu...

https://docs.fortinet.com/document/fortigate/6.4.0/azure-cookbook/584456/configuring-saml-sso-login-...

 

goenacc
New Contributor

We hit the Invalid HTTP request issue when we setup the Azure SAML. We had SSLVPN configured and already in production use. We re-used the same users group, because we had many policy attached to the groups. We had to log ticket to Fortinet to get this resolve. The fix was go to the firewall policy and edit one of the policy. Remove the user group and add a dummy group, then hit apply. Then go back to the same policy and reverse the change.

 

Fortinet support said this simple exercise somehow refreshed the SAML / SSLVPN process.

techjedi11

Removing the SAML group from my firewall policy, saving, then re-adding the group fixed the Invalid HTTP request for me as well. Thanks for posting your solution!

jfnz
New Contributor

Saved my bacon! Was pulling my hair out forever. What a silly issue🤦🏻

 

Thank you for posting this up.

CarlosColombini

Hi @goenacc, I just came across this post and thought I would share if it had not been done from your TAC ticket, but this is a known issue investigated under BUG ID 705880 - Update user group with SAML user will update firewall policy, which is fixed in FortiOS 7.0.7 and 7.2.2 when released.

For clarity, the description of the BUG is below:
Update empty/existing group with SAML user could not trigger SSL VPN firewall policy refresh, which cause the detection of SAML user not successful in later usage.

I understand your issue has been resolved, but this may help others searching the community.

goenacc

@CarlosColombini, thanks for posting the BUG ID and fixed release version. I would not have known about it if I don't specifically look for it in the release note (when released).

RachelGomez123
New Contributor II

When you integrate FortiGate SSL VPN with Azure AD, you can:

 

Use Azure AD to control who can access FortiGate SSL VPN.
Enable your users to be automatically signed in to FortiGate SSL VPN with their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.

To get started, you need the following items:

An Azure AD subscription. If you don't have a subscription, you can get a free account.
A FortiGate SSL VPN with single sign-on (SSO) enabled.

 

Greeting,

Rachel Gomez