Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JohnStep
New Contributor

Fortigate SSO Office 365 for SSL/VPN

Hi,

 

I have configured SSO to Entra 365 on a Fortigate 40F running 7.0.13. I created a trusted certificate and added it to the Fortigate. When I use the FQDN to connect to the SSL port and use SSO it never works properly always seeming to time out, especially after signing in on the 365 side and it relays back to the Fortigate. I did adjust the remote timer. However when configuring in Forticlient, if I use the IP address I get a self-signed warning but am able to connect to the VPN after signing in using SSO. 

 

Is there some kind of DNS thing I need to do on the Fortigate? I notice the web listening mode in SSL/VPN settings is showing the IP address and not the FQDN. 

 

I am highly certain all  the SAML stuff is all good as I have beat this up for a few days. 

 

So thinking its a DNS resolving issue. I have already placed an A record on my public DNS. And I can always sign-in without fail using the FQDN to the web admin interface. 

5 REPLIES 5
Atul_S
Staff & Editor
Staff & Editor

Hi John,

 

Could you pls confirm if the FQDN defined in the SAML metadata matches the FQDN used by the end user? Also, it is worth checking if the trusted certificate installed on the FortiGate includes this FQDN in either the CN or SAN fields.

Atul Srivastava
JohnStep

Thanks for getting. The FQDN looks solid and matches in the Saml configs both in Fortigate and on Entra (365 Azure). The trusted certificate also looks correct. I noticed in Entra that you can't create groups inside the app. without having a P1 or P2 license. I am only testing with myself as a single user and have assigned myself. But does this setup require group setups as well? Not sure if that is the issue? It just seems to time out after I successfully login using 2 factor. It's like the Fortigate is not responding as I assume at that point the traffic is connecting back to the Fortigate to complete the VPN SSL connection.

Atul_S

Hi John,

 

The group configuration is not necessary if you are testing with a single user.

 

As you have confirmed that the configs looks intact and you have received the 2FA, consider adjusting the remote auth timer as below:

 

config system global

set remoteauthtimeout xx

end

 

Thanks,

Atul Srivastava
JohnStep

The timeout is currently set for 60.

 

The response times out and shows the correct URL defined in both the Fortigate and Enterprise App. https://FQDN:4443/remote/saml/login

 

FYI - I am using a custom port 4443

Atul_S

Hi John,

 

Thanks for your response. It seems like we need to deep dive into this. I would suggest reaching out to the support team via https://www.fortinet.com/support/contact and leveraging the webchat to create a new case or logging in to your FortiCloud account and raising a new ticket from there as well.

 

Thanks,

Atul Srivastava
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors