Hello everyone,
currently we are hanging in the SAML Entra SSO Setup. I checked the recommends Articles here in the Support Forum and watched serveral Videos.
Firmware: v7.4.5 build2702
Model: FortiGate 101F
After the SAML login via the FortiClient and Enter the M365 Credentials, follwing Error Appear:
Configuration on the Fortigate:
User & Authentication > Single-Sign-on
Service Provider Configuration
Address: "forti-fqdn:6443"
Entity ID: "http://forti-fqdn:6443/remote/saml/metadata/"
Assertion consumer service URL: "https://forti-fqdn:6443/remote/saml/login"
Single logout service URL: "https://forti-fqdn:6443/remote/saml/logout"
Identity Provider Configuration
Entity ID: "https://sts.windows.net/xxxx/"
Assertion consumer service URL: "https://login.microsoftonline.com/xxxx/saml2"
Single logout service URL: "https://login.microsoftonline.com/xxxx/saml2"
Certifcate Import from Entra
Additional SAML Attributes
Attribute used to identify users: name
Attribute used to identify groups: groups
The Identity Provider Configuration URLs are also stored in the SAML SSO Settings under Security Fabric.
On the Entra side I add the Forttigate SSL VPN Enterprise Application.
Basic SAML Configuration
Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
Sign on URL: "https://forti-fqdn:6443/saml/login/"
Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
Create a security Group that are assigend to the App.
Following this example, I have linked the group ID with the Forti:
config user group edit "SAML_AZ_ALL" set member "azure-saml" config match edit 1 set server-name "azure-saml" set group-name "YYY-a79a-40f0-a2df-XXX" next end next end
A Firewall Rule for the created "SAML_AZ_ALL" Group was added (Incoming Interface SSL-VPN)
When testing the connection from entra, I get the following error message:
Forbidden
You don't have permission to access /saml/login/ on this server.
Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.
So an error must have crept in somewhere, I am currently at a loss.
Perhaps someone has a tip on what I can still adjust or have forgotten.
I am grateful for any support
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
> On the Entra side I add the Forttigate SSL VPN Enterprise Application.
> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
> Sign on URL: "https://forti-fqdn:6443/saml/login/"
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).
> On the Entra side I add the Forttigate SSL VPN Enterprise Application.
> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/"
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs"
> Sign on URL: "https://forti-fqdn:6443/saml/login/"
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"
The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).
Hello pminarik,
thanks for the fast answer.
I have corrected the URLs. Now there is no more error message.
However, I cannot establish a connection via the FortiClient. I tested it with two laptops
On the first one, the status remains at 0% after the M365 login.
On the second, this runs through, then a message appears that the SSL VPN connection is inactive.
If you can, check first with web-mode (login via browser). If that works, that means the SAML config is OK. Once that is fine, the rest is just debugging between FortiGate and FortiClient. Capture the sslvpn debug and review it. If it's not too clear, you can share it in a support ticket, or here. (it can be quite long, though)
Hi
I have the same issue but no solution yet. I always get the same error back. Also the error with #Lassoserver
config user saml
edit "azure"
set cert "forst.fortiddns.com"
set entity-id "http://FQDN:400/remote/saml/metadata/"
set single-sign-on-url "https://FQDN:400/remote/saml/login"
set single-logout-url "https://FQDN:400/remote/saml/logout"
set idp-entity-id "https://MSID/"
set idp-single-sign-on-url "https://login.microsoftonline.com/MSID/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/MSID/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
The idp-entity-id should be in the format "https://sts.windows.net/<MSID>/", but maybe you just over-anonymized the snipped.
The rest looks OK. Consider reviewing the Azure/Entra-side configuration, and make sure that the URLs match exactly what you have shared here. (note: Azure is sensitive to any trailing slashes (/) in URLs, if present.)
If still unclear, please share the exact debug errors.
Hi Pminarik
Yes, the URL was a typo :) All seems to be correct with the URLs. On friday I have a support call with fortinet. I see that the redirection from forticlient and also via browser goes to MS and then I log in with MS account but then the redirection to the fortigate back ends in a empty response. Normal SSL VPN is working.
I solved the issue by doing that:
https://www.reddit.com/r/fortinet/comments/mwbgaz/forticlient_ssl_vpn_and_azure_saml_login_issue/
it must be like this:
I deleted the defaults and had to rename the "group" = "user.groups" to "group" = "user.groups". Had to delete and readd it. Then had to change also in Azure. Now it Works fine :)
Yeah, this is a known quirk in Azure. The name of the attribute by default isn't a plain "groups", but it silently includes the namespace, so the attribute's name as received in the SAML reply ends up being "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups".
You can deal with it by deleting it and creating a new "groups" claim (as you did), or editing the default one and customizing the name in its "Advanced options".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.