Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
syntax-error
New Contributor

Configuring SAML SSO Entra Login

Hello everyone,

currently we are hanging in the SAML Entra SSO Setup. I checked the recommends Articles here in the Support Forum and watched serveral Videos.

Firmware: v7.4.5 build2702

Model: FortiGate 101F

 

After the SAML login via the FortiClient and Enter the M365 Credentials, follwing Error Appear:

 

Configuration on the Fortigate:

User & Authentication > Single-Sign-on

Service Provider Configuration

Address: "forti-fqdn:6443" 

Entity ID: "http://forti-fqdn:6443/remote/saml/metadata/" 

Assertion consumer service URL: "https://forti-fqdn:6443/remote/saml/login" 

Single logout service URL: "https://forti-fqdn:6443/remote/saml/logout"

 

Identity Provider Configuration

Entity ID: "https://sts.windows.net/xxxx/" 

Assertion consumer service URL: "https://login.microsoftonline.com/xxxx/saml2" 

Single logout service URL: "https://login.microsoftonline.com/xxxx/saml2" 

 

Certifcate Import from Entra 

 

Additional SAML Attributes

Attribute used to identify users: name

Attribute used to identify groups: groups

 

The Identity Provider Configuration URLs are also stored in the SAML SSO Settings under Security Fabric.

 

On the Entra side I add the Forttigate SSL VPN Enterprise Application.

Basic SAML Configuration
Identifier (Entity ID): "http://forti-fqdn:6443/metadata/" 
Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs" 
Sign on URL: "https://forti-fqdn:6443/saml/login/" 
Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"


Create a security Group that are assigend to the App. 

Following this example, I have linked the group ID with the Forti:

 

config user group
    edit "SAML_AZ_ALL"
        set member "azure-saml"
        config match
            edit 1
                set server-name "azure-saml"
                set group-name "YYY-a79a-40f0-a2df-XXX"
            next
        end
    next
end

A Firewall Rule for the created "SAML_AZ_ALL" Group was added (Incoming Interface SSL-VPN)
 

When testing the connection from entra, I get the following error message:

 

Forbidden
You don't have permission to access /saml/login/ on this server.

 

Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.

 

So an error must have crept in somewhere, I am currently at a loss.
Perhaps someone has a tip on what I can still adjust or have forgotten.

 

I am grateful for any support

1 Solution
pminarik
Staff
Staff

> On the Entra side I add the Forttigate SSL VPN Enterprise Application.

> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs
> Sign on URL: "https://forti-fqdn:6443/saml/login/
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"

 

The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).

[ corrections always welcome ]

View solution in original post

8 REPLIES 8
pminarik
Staff
Staff

> On the Entra side I add the Forttigate SSL VPN Enterprise Application.

> Basic SAML Configuration
> Identifier (Entity ID): "http://forti-fqdn:6443/metadata/
> Reply URL (Assertion Consumer Service URL): "https://forti-fqdn:6443/saml/?acs
> Sign on URL: "https://forti-fqdn:6443/saml/login/
> Logout Url (Optional): "https:/forti-fqdn:6443/saml/?sls"

 

The bold parts of the above URLs are incorrect. What you have there right now corresponds with the typical URL paths used for admin GUI login. But since you're trying to use SSL-VPN, you need to use the SSL-VPN-relevant URL paths (/remote/saml/login, /remote/saml/logout, /remote/saml/metadata ...).

[ corrections always welcome ]
syntax-error

Hello pminarik,

 

thanks for the fast answer.

I have corrected the URLs. Now there is no more error message.
However, I cannot establish a connection via the FortiClient. I tested it with two laptops
On the first one, the status remains at 0% after the M365 login.

On the second, this runs through, then a message appears that the SSL VPN connection is inactive.

pminarik

If you can, check first with web-mode (login via browser). If that works, that means the SAML config is OK. Once that is fine, the rest is just debugging between FortiGate and FortiClient. Capture the sslvpn debug and review it. If it's not too clear, you can share it in a support ticket, or here. (it can be quite long, though)

[ corrections always welcome ]
baraja
New Contributor

Hi

I have the same issue but no solution yet. I always get the same error back. Also the error with #Lassoserver 

 

config user saml

    edit "azure"

        set cert "forst.fortiddns.com"

        set entity-id "http://FQDN:400/remote/saml/metadata/"

        set single-sign-on-url "https://FQDN:400/remote/saml/login"

        set single-logout-url "https://FQDN:400/remote/saml/logout"

        set idp-entity-id "https://MSID/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/MSID/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/MSID/saml2"

        set idp-cert "REMOTE_Cert_1"

        set user-name "username"

        set group-name "group"

        set digest-method sha1

    next

end

pminarik

The idp-entity-id should be in the format "https://sts.windows.net/<MSID>/", but maybe you just over-anonymized the snipped.

The rest looks OK. Consider reviewing the Azure/Entra-side configuration, and make sure that the URLs match exactly what you have shared here. (note: Azure is sensitive to any trailing slashes (/) in URLs, if present.)

 

If still unclear, please share the exact debug errors.

[ corrections always welcome ]
baraja

Hi Pminarik

Yes, the URL was a typo :) All seems to be correct with the URLs. On friday I have a support call with fortinet. I see that the redirection from forticlient and also via browser goes to MS and then I log in with MS account but then the redirection to the fortigate back ends in a empty response. Normal SSL VPN is working.

baraja

I solved the issue by doing that:

https://www.reddit.com/r/fortinet/comments/mwbgaz/forticlient_ssl_vpn_and_azure_saml_login_issue/

 

it must be like this:

 

I deleted the defaults and had to rename the "group" = "user.groups" to "group" = "user.groups". Had to delete and readd it. Then had to change also in Azure. Now it Works fine :)

2024-10-23 14_42_26-Microsoft Entra admin center (PWA) - Attribute & Ansprüche - Microsoft Entra Adm.png

pminarik

Yeah, this is a known quirk in Azure. The name of the attribute by default isn't a plain "groups", but it silently includes the namespace, so the attribute's name as received in the SAML reply ends up being "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups".

 

You can deal with it by deleting it and creating a new "groups" claim (as you did), or editing the default one and customizing the name in its "Advanced options".

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors