Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kylehouk
New Contributor II

Created on ‎07-12-2023 08:50 AM Edited on ‎07-12-2023 08:58 AM

Azure SAML WiFi Authentication Cert Trust Error

I was following the guide to setup WiFi authentication using Azure and SAML IdP from the Fortinet community here 

 

The authentication does work, but it gives a certificate error when connecting. If you trust the cert the authentication goes through and works. The below error message is seen when using the Fortinet Factory cert.

 

Azure-SAML-Fortinet-Cert (2).png

 

The following error is observed when using a CA cert from Let's Encrypt.

Azure-SAML-Cert-Error.png

 

The intended use is for this network to be used for personal cell phones of company employees. So I do not want employees to have download or trust anything on their devices when connecting to the network.

 

If it is not possible to avoid the cert trust error please let me know. Otherwise below is what I have tried to get it to work.

 

The documentation mentions using a CA certificate and redirecting the auth portal page. However, whenever I redirect the portal it breaks the authentication. I have tired adding the redirection in both the GUI and CLI and various certs, neither works.

 

Based on the error it seems that the cert error is occurring because the authentication request is coming from the internal IP of the subnet and not the FQDN of the cert. However as mentioned anytime I redirect the portal page it breaks the authentication. (Yes, I updated the Azure App and Fortinet URL's to reflect the redirected address, but it still broke the authentication).

 

I am still pretty new to certs and stuff so I am probably missing something and help is appreciated.

 

 

 

3770
13 REPLIES 13
Gcordoba1609
New Contributor
In response to kylehouk

Created on ‎08-14-2024 09:20 AM

  1. Have you setup a custom Azure/Entra ID application for use for the FortiGate : YES

I'll tell you my problem. I have the SAML issue already configured and working, but I have the certificate warning issue every time users try to connect because they can't find a valid certificate.
According to what the Fortinet people tell me, I must create a wildcard certificate since I have validation in several VLANs according to the connection that is made. And that's the part that I don't understand how to do.

Regards

375
0 Kudos
kylehouk
New Contributor II
In response to Gcordoba1609

Created on ‎08-14-2024 09:39 AM Edited on ‎08-14-2024 09:46 AM

Alright, my setup is a little different compared to yours, but I'll explain what I did. I am only using SAML auth on one VLAN.

I created a custom FQDN for the FortiGate firewall. For example, wifi.mydomain.com

 

I then used the ACME certificate generating feature built into the FortiGate to generate a valid CA (Certificate Authority) certificate with the FQDN. In this case from Let's Encrypt. Since Let's Encrypt is a CA any certificate they validate is seen as official and valid by all browsers/computers.

 

I then created the custom Azure/Entra ID app. For the Single-Sign On section I used the FQDN for the Identifier and Reply URLs. I downloaded the generated certificate from Azure and uploaded it to the FortiGate.

 

I then setup a custom DNS server on the FortiGate itself to point the local IP of the interface/VLAN to the FQDN. You have to have the local interface/VLAN IP point towards the FQDN so that when clients try to authenticate and they get a reply from the local IP of the Firewall instead of the FQDN which they are expecting they will still treat it as valid as their DNS resolver also points to that IP.

Finally, under the Single-Sign On section within the FortiGate I set the SP certificate to the be the ACME cert I generated with the FQDN and set the IdP certificate to be the one from the custom Azure application.

371
0 Kudos
Gcordoba1609
New Contributor
In response to kylehouk

Created on ‎08-14-2024 09:45 AM

I understand you, if the scenario is different and it is not going to work in mine, thank you very much for the help

369
0 Kudos
kylehouk
New Contributor II
In response to Gcordoba1609

Created on ‎08-14-2024 09:59 AM

So long as each VLAN has a DNS record pointing the interface IP to the FQDN it may work.
Although I'm not sure how having multiple IPs point to the same FQDN will work, you could still test it.

362
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.