Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tweesiee
New Contributor III

Issues with SSL VPN through SAML

Hi all.

We have an issue after configuring SSL VPN through Azure SAML and we can no longer reach Fortigate GUI via HTTP/HTTPS. We get prompted to use authentication via Azure when surfing to the WAN IP. This may be by default but even when we authenticate we just get redirected to the SLL VPN web portal instead of the Fortigate GUI. 
I have compared every setting I can think of and can't seem to find any solultion to this. 
We can surf to FQDN but it's the same story. We get asked to authenticate and is then redirected to the SSL VPN web portal. 

Fortigate 60F with FortiOS 6.4.14

Any help or suggestions is appreciated!

Kind regards

1 Solution
Tweesiee
New Contributor III

Hi all. 

We have solved the problem. After going through all configuration once more we could see that saml was configured twice. Both as "config system saml" and "config user saml". 

Quite a stupid misstake. But it seems to be a result of both configuring saml in CLI and GUI.

Disabling "config system saml" solved the issue. 

Thanks for all your responses!

View solution in original post

8 REPLIES 8
rbraha
Staff
Staff

Hi @Tweesiee ,

 

Try to use different port for SSLVPN setting for example to listen on port 10443 instead of the default one 443, check the below documentation ,it might help

 

https://docs.fortinet.com/document/fortigate-public-cloud/7.4.0/azure-administration-guide/584456/co...

Tweesiee
New Contributor III

Hi!

Might have been good to mention that but yes, we are using port 10443 instead of the default port. 

Kind regards

hbac
Staff
Staff

Hi @Tweesiee,

 

Make sure you put https://x.x.x.x when trying to access the GUI. If it is not port 443, you need to put the port number as well. HTTP traffic might be redirected to the SSL VPN if "Redirect HTTP to SSL-VPN" option is enabled under SSL VPN setting. 

 

Regards, 

 

Tweesiee
New Contributor III

Hi. 

We have tried every way, http:// & https:// with both wan IP and FQDN. We get the same results. It redirects to https://FQDN:10443
This is the SSL VPN web portal. 

hbac

@Tweesiee,

 

Can you run a packet capture and filter by your source public IP (replace x.x.x.) and try to access the GUI again. 

 

di sniffer packet any 'host x.x.x.x' 4 0 l 

 

Regards, 

mle2802
Staff
Staff

Hi @Tweesiee,

It looks like you have used 443 for SSL VPN setting. Can you please check under VPN > SSL VPN setting and check listen on port section. Try to use another port for SSL VPN and used 443 for GUI.

Best regards,
Minh

ndumaj
Staff
Staff

Hi @Tweesiee,
Via CLI you can verify the SSL VPN port:
config vpn ssl settings
set port <default is 443>   <---- It looks that the port here is 443 if it is 443 try to change to 8443 or 10443

Best regards,

- Happy to help, hit like and accept the solution -
Tweesiee
New Contributor III

Hi all. 

We have solved the problem. After going through all configuration once more we could see that saml was configured twice. Both as "config system saml" and "config user saml". 

Quite a stupid misstake. But it seems to be a result of both configuring saml in CLI and GUI.

Disabling "config system saml" solved the issue. 

Thanks for all your responses!

Top Kudoed Authors