Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Configuring SAML SSO Entra Login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuring SAML SSO Entra Login
Hello everyone,
currently we are hanging in the SAML Entra SSO Setup. I checked the recommends Articles here in the Support Forum and watched serveral Videos.
Firmware: v7.4.5 build2702
Model: FortiGate 101F
After the SAML login via the FortiClient and Enter the M365 Credentials, follwing Error Appear:
Configuration on the Fortigate:
User & Authentication > Single-Sign-on
Service Provider Configuration
Address: "forti-fqdn:6443"
Entity ID: "http://forti-fqdn:6443/remote/saml/metadata/"
Assertion consumer service URL: "https://forti-fqdn:6443/remote/saml/login"
Single logout service URL: "https://forti-fqdn:6443/remote/saml/logout"
Identity Provider Configuration
Entity ID: "https://sts.windows.net/xxxx/"
Assertion consumer service URL: "https://login.microsoftonline.com/xxxx/saml2"
Single logout service URL: "https://login.microsoftonline.com/xxxx/saml2"
Certifcate Import from Entra
Additional SAML Attributes
Attribute used to identify users: name
Attribute used to identify groups: groups
The Identity Provider Configuration URLs are also stored in the SAML SSO Settings under Security Fabric.
On the Entra side I add the Forttigate SSL VPN Enterprise Application.
Basic SAML Configuration
Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
Sign on URL: "https://forti-fqdn:6443/saml/login/"
Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
Create a security Group that are assigend to the App.
Following this example, I have linked the group ID with the Forti:
config user group edit "SAML_AZ_ALL" set member "azure-saml" config match edit 1 set server-name "azure-saml" set group-name "YYY-a79a-40f0-a2df-XXX" next end next end
A Firewall Rule for the created "SAML_AZ_ALL" Group was added (Incoming Interface SSL-VPN)
When testing the connection from entra, I get the following error message:
Forbidden
You don't have permission to access /saml/login/ on this server.
Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.
So an error must have crept in somewhere, I am currently at a loss.
Perhaps someone has a tip on what I can still adjust or have forgotten.
I am grateful for any support
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> On the Entra side I add the Forttigate SSL VPN Enterprise Application.
> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
> Sign on URL: "https://forti-fqdn:6443/saml/login/"
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello pminarik,
thanks for the fast answer.
I have corrected the URLs. Now there is no more error message.
However, I cannot establish a connection via the FortiClient. I tested it with two laptops
On the first one, the status remains at 0% after the M365 login.
On the second, this runs through, then a message appears that the SSL VPN connection is inactive.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have the same issue but no solution yet. I always get the same error back. Also the error with #Lassoserver
config user saml
edit "azure"
set cert "forst.fortiddns.com"
set entity-id "http://FQDN:400/remote/saml/metadata/"
set single-sign-on-url "https://FQDN:400/remote/saml/login"
set single-logout-url "https://FQDN:400/remote/saml/logout"
set idp-entity-id "https://MSID/"
set idp-single-sign-on-url "https://login.microsoftonline.com/MSID/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/MSID/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The idp-entity-id should be in the format "https://sts.windows.net/<MSID>/", but maybe you just over-anonymized the snipped.
The rest looks OK. Consider reviewing the Azure/Entra-side configuration, and make sure that the URLs match exactly what you have shared here. (note: Azure is sensitive to any trailing slashes (/) in URLs, if present.)
If still unclear, please share the exact debug errors.
[ corrections always welcome ]
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Configuring SAML SSO Entra Login 153 Views
- Directly access the FortiGate via Okta... 101 Views
- SAML Auth with Conditional Access that... 570 Views
- The first connection using Microsoft Entra... 695 Views
- Entra ID for SSL VPN and... 383 Views
Labels
-
FortiGate
8,250 -
FortiClient
1,664 -
5.2
801 -
FortiManager
692 -
5.4
639 -
FortiAnalyzer
525 -
FortiSwitch
444 -
FortiAP
436 -
6.0
416 -
FortiClient EMS
382 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
SSL-VPN
196 -
FortiWeb
193 -
FortiNAC
167 -
IPsec
166 -
FortiGuard
131 -
6.4
128 -
SD-WAN
101 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
77 -
Customer Service
75 -
Wireless Controller
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
VLAN
46 -
ZTNA
44 -
High Availability
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
40 -
Routing
37 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
32 -
Interface
31 -
Certificate
31 -
SSO
29 -
FortiConnect
28 -
Authentication
28 -
NAT
28 -
RADIUS
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiLink
25 -
VDOM
24 -
FortiGate v5.2
23 -
Application control
22 -
Virtual IP
22 -
Web profile
21 -
Logging
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
FortiSOAR
12 -
FortiCASB
12 -
SNMP
12 -
SSID
12 -
Admin
12 -
Static route
12 -
WAN optimization
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
Automation
11 -
System settings
11 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiDeceptor
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1593 | |
| 1045 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.