Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

EMS with Azure and auto SSL VPN on user login, failing at graph API connection.

I setup EMS and fortigate both with SAML configurations and both systems work. A user can be SAML SSO verified through EMS and a user can access SSL VPN with SAML SSO as well.

I tried to enable azure AD auto ssl vpn login and I get an error when the fortigate attempts to connect to the microsoft graph API to verify the users session token. I believe these are the steps that need to happen for a successful auto login. Step number 5 fails with the below debug errors. I verified the CLI can resolve DNS and ping the microsoft graph API.

CapturedsaDSA.PNG

1. user attempts saml

2. ems/forticlient talks to azure

3. azure provides a token to the forticlient

4. forticlient gives token to fortigate

5. fortigate uses graph api to validate token

6. fortigate authorizes forticlient

12 REPLIES 12
UQTR_Beaudet

Hi little update on my end! 

Went from 7.2.5 (graph connection issue) to 7.2.7 because of the recent intense CVE....

it works! 

 

Graph connection is fine, the groupes are returned and if matched in the user group the connection is established. This is on laptops joined to our local Active Directory and hybrid-joined to Entra ID. 

Jean-Alexandre Beaudet
Jean-Alexandre Beaudet
aguerriero

 

Good to know that it is fixed in 7.2.7 but have you seen this for 7.2.7.

7.2.7 ipsec.PNG

UQTR_Beaudet

We only use SSL-VPN so it didn't affect us going to 7.2.7 

Jean-Alexandre Beaudet
Jean-Alexandre Beaudet
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors