Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
choee840408
New Contributor II

Created on ‎08-31-2025 11:42 PM

Assistance Required – FortiAuthenticator SAML Integration with FortiGate IPsec VPN

Dear Sir,

I am encountering an issue while configuring SAML integration between FortiAuthenticator and FortiGate IPsec VPN, and I would like to request your assistance.

Current requirements:

  • FortiAuthenticator as IdP

  • FortiGate as SP

Configuration steps taken so far:

1.Enabled SAML-related service ports on FortiAuthenticator

1.jpg

2.Configured SAML IdP General settings on FortiAuthenticator and exported the certificate

2.jpg

3.Configured Service Providers on FortiAuthenticator

3.jpg

4.Configured Single Sign-On on FortiGate

4.jpg

5.Created a User Group

5.jpg

6.Established an IPsec Tunnel

6.jpg

7.Test result: IPsec connection shows failure

7.jpg

I would greatly appreciate it if you could review the configuration steps above to check for any omissions or errors, and provide recommended troubleshooting methods to help complete the SAML and IPsec VPN integration.

Thank you very much for your support!

Labels:
245
0 Kudos
8 REPLIES 8
gstefou
New Contributor III

Created on ‎09-01-2025 12:51 AM

Hi Cho, 

The SSO Login window shouldn't be looking like that... I guess there's something wrong with the settings on your FGT. 

 

First off, how's your FAC connected with your Gate? Is the FAC outside on your FortiGate's network ? 

 

1) Fortigate is using a default port for SAML Authentication (Port 1001, if im not mistaken).

Make sure this configured properly under the "config system global" settings. 

 

- Open SAML Service on the Firewall and set the port -

config system global
set auth-ike-saml-port 1001

 

2) In addition, you will have to spesify the "FAC" SSO option under the interface your FAC is conected to the Firewall. If the FAC is outside of your network you will need to configure it on your internet faced interface (WAN Port). 

 

- Make SAML accessible from the internet exposed interface OR THE INTERFACE YOU HAVE THE FAC CONNECTED -

config system interface
edit wan1 <--- Use WAN Port only if FAC if outside of our network, outherwise use the interface you have the FAC connected to.
set ike-saml-server "FAC" <--- "FAC" is the Single Sign-On Name value you configured. 
end

210
choee840408
New Contributor II
In response to gstefou

Created on ‎09-01-2025 01:29 AM

 

Dear Sir,
Both the FAC and FG are on the internal network.
I will try the command you provided:

config system global
set auth-ike-saml-port 1001

However, does the IPsec VPN also need to be changed to IKEv2?
197
0 Kudos
choee840408
New Contributor II
In response to choee840408

Created on ‎09-01-2025 03:06 AM

timeout

螢幕擷取畫面 2025-09-01 180411.jpg

173
0 Kudos
gstefou
New Contributor III
In response to choee840408

Created on ‎09-01-2025 11:35 PM

This is the guide i followed and everything is working with no problem. -> https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/219787/agentless-vpn-with-fo...

 

Check your all your settings and try again

154
gstefou
New Contributor III
In response to choee840408

Created on ‎09-01-2025 11:25 PM Edited on ‎09-01-2025 11:34 PM

I was mistakedn, by default fortinet is using port 1003 for SAML, run the scropt with port 1003 this time and try again.

SAML Authentication is supported on both IKEv1 & IKEv2 so no 

157
choee840408
New Contributor II
In response to gstefou

Created on ‎09-02-2025 06:34 PM

Dear gstefou,

Hello, I followed the instructions in this guide for my setup:
https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/951346/saml-based-authentica...

The guide instructs me to configure it as IKEv2, but even after following the instructions, I'm still getting a timeout.

124
0 Kudos
gstefou
New Contributor III
In response to choee840408

Created on ‎09-02-2025 11:32 PM

If you followed the KB you should be able to connect is pretty straighforward. 

 

Do you mind sharing your FC VPN configuration ? 

In adiition, where are you testing the VPN from ? 

Are you connected to any of the SSIDs the Fortigate brodcast ?

107
GeorgeZhong
Staff
Staff

Created on ‎09-03-2025 05:01 AM

Hi choee840408,

 

The SP's IP address needs to be <ipsec-vpn-gateway-fqdn/ip-address>:<saml-ike-authentication-port> as per document. In your case, as the SAML port is 1001, the SP IP address in the Single Sign On setting on both FGT and FAC should be 10.0.9.240:1001.

 

If this still doesn't work, please collect below debug log:

 

diagnose debug application ike -1

diagnose debug application samld -1

diagnose debug application fnbamd -1

diagnose vpn ike log filter rem-addr4 <client's public IP>

diagnose debug console timestamp enable

diagnose debug enable

 

Regards,

George

92
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.