Hi,
I have configured SSO to Entra 365 on a Fortigate 40F running 7.0.13. I created a trusted certificate and added it to the Fortigate. When I use the FQDN to connect to the SSL port and use SSO it never works properly always seeming to time out, especially after signing in on the 365 side and it relays back to the Fortigate. I did adjust the remote timer. However when configuring in Forticlient, if I use the IP address I get a self-signed warning but am able to connect to the VPN after signing in using SSO.
Is there some kind of DNS thing I need to do on the Fortigate? I notice the web listening mode in SSL/VPN settings is showing the IP address and not the FQDN.
I am highly certain all the SAML stuff is all good as I have beat this up for a few days.
So thinking its a DNS resolving issue. I have already placed an A record on my public DNS. And I can always sign-in without fail using the FQDN to the web admin interface.
Hi John,
Could you pls confirm if the FQDN defined in the SAML metadata matches the FQDN used by the end user? Also, it is worth checking if the trusted certificate installed on the FortiGate includes this FQDN in either the CN or SAN fields.
Thanks for getting. The FQDN looks solid and matches in the Saml configs both in Fortigate and on Entra (365 Azure). The trusted certificate also looks correct. I noticed in Entra that you can't create groups inside the app. without having a P1 or P2 license. I am only testing with myself as a single user and have assigned myself. But does this setup require group setups as well? Not sure if that is the issue? It just seems to time out after I successfully login using 2 factor. It's like the Fortigate is not responding as I assume at that point the traffic is connecting back to the Fortigate to complete the VPN SSL connection.
Hi John,
The group configuration is not necessary if you are testing with a single user.
As you have confirmed that the configs looks intact and you have received the 2FA, consider adjusting the remote auth timer as below:
config system global
set remoteauthtimeout xx
end
Thanks,
The timeout is currently set for 60.
The response times out and shows the correct URL defined in both the Fortigate and Enterprise App. https://FQDN:4443/remote/saml/login
FYI - I am using a custom port 4443
Hi John,
Thanks for your response. It seems like we need to deep dive into this. I would suggest reaching out to the support team via https://www.fortinet.com/support/contact and leveraging the webchat to create a new case or logging in to your FortiCloud account and raising a new ticket from there as well.
Thanks,
User | Count |
---|---|
2621 | |
1390 | |
804 | |
666 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.