Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sbaltic
New Contributor

Fortigate FG200 SSL VPN with Microsoft Entra Auth

Anyone manage to resolve this issue with OS 7.4.1 that can successfully authenticate SSL VPN user with Fortigate VPN SSL enterprise app on Entra ID?

I tried app from the library, own app, custom app but the error is always the same (session ended or incorrect HTTP request). 

I am using default 443 port ... and when I create SAML with gui I get ID like:
http://1.2.3.4:443/remote/saml/metadata/

https://1.2.3.4:443/remote/saml/login

https://1.2.3.4:443/remote/saml/logout

 

and cert from Entra is sha-256 not sha1 (witch is default encryption with new gui SAML)

 

Thx

SB
SB
5 REPLIES 5
hbac
Staff
Staff

Hi @sbaltic,

 

Does SAML authentication work with only username and password? Since FortiGate is not responsible for authentications, it doesn't care which app you are using. FortiGate only waits for authentication results from IDP. 

 

You can try to increase remoteauthtimeout on the FortiGate to see if it helps: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-global-set-remoteauthtimeout-us...

 

Regards, 

sbaltic
New Contributor

The problem is that I get "Session Ended" every time I login. So the fortigate login opens microsoft authentication and when I enter credentials I get "Session Ended"

SB
SB
hbac

@sbaltic

 

Please double check your configuration and make sure the user group is specified in the firewall policy source. Please also make sure there is no group mismatch: -Followed below documents as error is matching:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Azure-SAML-group-mismatch-getting-error-re...

 

Regards, 

sbaltic
New Contributor

Tried right now ... same problem. I don't see any group mismatch error. I think I tried everything. Even group ID and group name, always the same problem. Removed :443 also removed / (end of the matadata, login, logout) ... add enterprise app from scratch, add enterprise app FORTIGATE SSL VPN ... 

SB
SB
hbac

@sbaltic,

 

Please collect debugs as mentioned in the article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...

 

# di deb res 

# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors