Hello,
we've configured SAML VPN SSL Login with Azure AD and everything is working.
When we've configured the connector we used IP address of VPN SSL service of Fortigate like this:
set entity-id "https://X.X.X.X:XXXX/remote/saml/metadata"
set single-sign-on-url "https://X.X.X.X:XXXX/remote/saml/login"
Now we've create an FQDN to access the VPN service like sslvpnurl.domain.com.
When authenticating via Forticlient users receive a certificate error because even though the certificate configured is correct on Fortigate (*.domain.com) and Forticlient is configured to use FQDN, the SAML configuration is configured with IP address, so I think it's there the problem.
Now I would like to change the Entity ID, SSSO Sing In and Sign Out URL on Fortigate configuration like this:
set entity-id "https://sslvpnurl.domain.com:XXXX/remote/saml/metadata"
[....] [...]
so the error would disappear, I believe.
Do I have to change the same configuration on Azure side, otherwise auth would not work anymore or not?
Thanks
BR
Now I would like to
Hello,
If URLs are set with IP and on certificate the Subject alternative name is different from the domain used, yes you will have to change the config
From
set entity-id "https://X.X.X.X:XXXX/remote/saml/metadata"
set single-sign-on-url "https://X.X.X.X:XXXX/remote/saml/login"
To
set entity-id "https://sslvpnurl.domain.com:XXXX/remote/saml/metadata"
[....] [...]
IDP and SP URL's should match else auth will not work anymore
More information of how the certs work and common errors:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-generate-wildcard-CSR/ta-p/195414
Thank you
User | Count |
---|---|
2538 | |
1351 | |
795 | |
642 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.