EMS with Azure and auto SSL VPN on user login, failing at graph API connection.
I setup EMS and fortigate both with SAML configurations and both systems work. A user can be SAML SSO verified through EMS and a user can access SSL VPN with SAML SSO as well.
I tried to enable azure AD auto ssl vpn login and I get an error when the fortigate attempts to connect to the microsoft graph API to verify the users session token. I believe these are the steps that need to happen for a successful auto login. Step number 5 fails with the below debug errors. I verified the CLI can resolve DNS and ping the microsoft graph API.
Why don't you collect a packet sniffer from FortiGate while you attempt the authentication process. As per debug logs DNS is successful but the connection is failing to the received IP address with socket error. Capture will help to check further.
# #diagnose sniffer packet <interface> none 4 10 a
Here interface would be your exit interface of FortiGate.
Attached is the result of the packet capture and the debugs running at the same time. I thought sessions initiated by the fortigate would not show up in a packet capture. If they are supposed to then it looks like the fortigate is not even trying to connect to the graph API.
Thats great as the capture doesn't show any connection to Graph API URL and all it shows is your VPN traffic on port 10443. Looks like a detailed investigation is necessary with the configuration and log here. Share the feedback in forum if you find a solution.
Hope you have seen this document for the setup. If not, please review your setup against the article as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.