Hi,
I'm testing this configuration before deploying it for a company that needs his users to authenticate against Azure AD for accessing the internet.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/33053
However it doesn't seem to work, infact after authenticating on the Microsoft login page I get redirected to the Fortigate Administration GUI webpage.
I must say that at step 3 f the "To configure the SAML SSO settings on the application and FortiGate" part, the firewall proposes me the administration GUI port instead of the default captive portal port (1003).
Also, does not respond at all on port 1003.
What am I doing wrong here?
Help appreciated.
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you clarify what you mean about the docs proposing to use the admin GUI port? I see port 1003 in the docs as you referenced:
What I mean is that the guide shows the links pointing at the firewall IP address and the default captive portal port (1003), when I do that step on my firewall I’m shown the IP address and the administration GUI port
OK yes that's weird. Try changing it to 1003? It should be 1003 by default...
I did but I get no response on port 1003, as if no service is listening on that port
Created on 10-26-2023 04:23 PM Edited on 10-26-2023 04:23 PM
I remember having issues with the same, things have changed, all should be https now, so a domain with valid certificate is required for communication with Azure AD (Entra). :)
Hi,
I had not seen this feature. I will test it next week.
Best regards
Hi,
you can check if you have the port 1003 in those parameters.
In my lab, I have the portal that opens and authenticates my user.
I just have an authentication problem on the fortinet side. I did not have time to diagnose this point.
config system global
set auth-https-port 1003
end
config user saml
edit "NAME_SAML"
set entity-id "https://172.16.3.15:1003/saml/metadata"
set single-sign-on-url "https://172.16.3.15:1003/saml/login"
set single-logout-url "https://172.16.3.15:1003/saml/logout"
Created on 10-26-2023 04:19 PM Edited on 10-26-2023 04:20 PM
There are so many thinks dat need to be correct.. i have been working all night on this, many challenges, and just got it working..! One of my issue i used the port from ssl-vpn, that also does saml authentication just not as it should with the captive portal. that did not seem to be active by default, got it working with the "set auth-https-port 1003".
i think you should get started with using a domain with certificate. I used the dynamic dns with Lets encrypt. And many things will follow to get the internal dns right.. :)
config firewall auth-portal
set portal-addr "captiveportal.domain.com"
end
config user setting
set auth-cert (lookup your domain cert)
end
Was also testing before deploying it for a customer ;)
Greets,
Dennis
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.