Anyone manage to resolve this issue with OS 7.4.1 that can successfully authenticate SSL VPN user with Fortigate VPN SSL enterprise app on Entra ID?
I tried app from the library, own app, custom app but the error is always the same (session ended or incorrect HTTP request).
I am using default 443 port ... and when I create SAML with gui I get ID like:
http://1.2.3.4:443/remote/saml/metadata/
https://1.2.3.4:443/remote/saml/login
https://1.2.3.4:443/remote/saml/logout
and cert from Entra is sha-256 not sha1 (witch is default encryption with new gui SAML)
Thx
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @sbaltic,
Does SAML authentication work with only username and password? Since FortiGate is not responsible for authentications, it doesn't care which app you are using. FortiGate only waits for authentication results from IDP.
You can try to increase remoteauthtimeout on the FortiGate to see if it helps: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-global-set-remoteauthtimeout-us...
Regards,
The problem is that I get "Session Ended" every time I login. So the fortigate login opens microsoft authentication and when I enter credentials I get "Session Ended"
Please double check your configuration and make sure the user group is specified in the firewall policy source. Please also make sure there is no group mismatch: -Followed below documents as error is matching:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Azure-SAML-group-mismatch-getting-error-re...
Regards,
Tried right now ... same problem. I don't see any group mismatch error. I think I tried everything. Even group ID and group name, always the same problem. Removed :443 also removed / (end of the matadata, login, logout) ... add enterprise app from scratch, add enterprise app FORTIGATE SSL VPN ...
Please collect debugs as mentioned in the article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...
# di deb res
# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.