Hi,
I have recently setup SAML auth with Azure AD but cant get it to work via Forticlient.
Users can login to the webportal and auth using SSO successfully, its just Forticlient that fails.
When users try to connect via Forticlient they are directed to the correct Microsoft Login URL and can successfully auth with their Azure creds(including MFA) but after accepting the MFA prompt Forticlient stops at 48% and shows "Credential or SSLVPN configuration is wrong (-7200)".
Checking the SSL-VPN Monitor in the Forti shows the user as being connected but only with "Web Connections" instead of "Tunnel Connections"
It almost like when authenticating Forticlient cant find the user in a User Group so assigned it to the Web-access portal
Running Forticlient 7.0 and firmware 7.0.1 on the Forti
There is a post on Reddit about the SLL-VPN certificate key length having to be 2048 but we are using a certificate with a key length of 4096.
CONFIG BELOW (using example FQDN)
--------------------------------------------------------
config user saml
edit "azure-saml"
set cert "Fortinet"
set entity-id "https://example-company.com:10443/remote/saml/metadata"
set single-sign-on-url "https://example-company.com:10443/remote/saml/login"
set single-logout-url "https://example-company.com:10443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"
set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-cert "Azure_SAML"
set user-name "username"
set group-name "group"
next
end
config user group
edit "SAML_AZ_ALL"
set member "azure-saml"
config match
edit 1
set server-name "azure-saml"
set group-name "YYY-a79a-40f0-a2df-XXX" (Object ID of my Azure group)
next
end
next
end
I have the same problem with Fortios 7.012 + ForticlientEms 6.410. This combinate causes error "Credential or SSLVPN configuration is wrong (-7200)".Certificate keylength is 4096. Everything worked fine FortiOS 6.413 + ForticlientEms 6.410. I changed temporarily Saml user ssl-certificate to Fortigate-factor. This solved the problem.
The final solution was to update all vpn clients. (6.410 --> to 7.09)
Created on 08-23-2023 04:05 AM Edited on 08-23-2023 05:20 AM
This software has a lot of glitches, When updating the Forticlient VPN to the latest version, I encountered an issue where it wouldn't save the password. As a result, it kept asking for the username and password every time. But if you already signed in using Version 6.4 it will work, But if you get a new laptop and install the latest version you may have this issue where it asks for a username and password every time you get in.
Please see my earlier question to you. Any thoughts? Also on 7.2.1.0779.
Created on 08-23-2023 06:01 AM Edited on 08-23-2023 06:02 AM
will take a look
Was this new group related to the FortiGate's SSLVPN configuration, or just a new group added within O365 unrelated? Trying to understand the relationship. We are seeing about 10% of our uses unable to connect.
Just 365 unrelated it was just a new group added to the AD so were sure that the issue was not the SSL-VPN or Forticlient in this case.
We figured it out... There is apparently a limit to the number of O365 groups the user can be a member of. However, this limitation can be avoided by changing "Group Claims" setting to only return groups assigned to the application. This way, instead of returning every group, it only returns one, the one that matters. This really should have been documented in the installation steps.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.