Hello everyone,
currently we are hanging in the SAML Entra SSO Setup. I checked the recommends Articles here in the Support Forum and watched serveral Videos.
Firmware: v7.4.5 build2702
Model: FortiGate 101F
After the SAML login via the FortiClient and Enter the M365 Credentials, follwing Error Appear:
Configuration on the Fortigate:
User & Authentication > Single-Sign-on
Service Provider Configuration
Address: "forti-fqdn:6443"
Entity ID: "http://forti-fqdn:6443/remote/saml/metadata/"
Assertion consumer service URL: "https://forti-fqdn:6443/remote/saml/login"
Single logout service URL: "https://forti-fqdn:6443/remote/saml/logout"
Identity Provider Configuration
Entity ID: "https://sts.windows.net/xxxx/"
Assertion consumer service URL: "https://login.microsoftonline.com/xxxx/saml2"
Single logout service URL: "https://login.microsoftonline.com/xxxx/saml2"
Certifcate Import from Entra
Additional SAML Attributes
Attribute used to identify users: name
Attribute used to identify groups: groups
The Identity Provider Configuration URLs are also stored in the SAML SSO Settings under Security Fabric.
On the Entra side I add the Forttigate SSL VPN Enterprise Application.
Basic SAML Configuration
Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
Sign on URL: "https://forti-fqdn:6443/saml/login/"
Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
Create a security Group that are assigend to the App.
Following this example, I have linked the group ID with the Forti:
config user group edit "SAML_AZ_ALL" set member "azure-saml" config match edit 1 set server-name "azure-saml" set group-name "YYY-a79a-40f0-a2df-XXX" next end next end
A Firewall Rule for the created "SAML_AZ_ALL" Group was added (Incoming Interface SSL-VPN)
When testing the connection from entra, I get the following error message:
Forbidden
You don't have permission to access /saml/login/ on this server.
Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.
So an error must have crept in somewhere, I am currently at a loss.
Perhaps someone has a tip on what I can still adjust or have forgotten.
I am grateful for any support
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
> On the Entra side I add the Forttigate SSL VPN Enterprise Application.
> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
> Sign on URL: "https://forti-fqdn:6443/saml/login/"
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1593 | |
1045 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.