Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dclabs
New Contributor

Outbound firewall authentication with Azure AD as a SAML IdP not working

Hi,

 

I'm testing this configuration before deploying it for a company that needs his users to authenticate against Azure AD for accessing the internet.

https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/33053

 

However it doesn't seem to work, infact after authenticating on the Microsoft login page I get redirected to the Fortigate Administration GUI webpage.

I must say that at step 3 f the "To configure the SAML SSO settings on the application and FortiGate" part, the firewall proposes me the administration GUI port instead of the default captive portal port (1003).

Also, does not respond at all on port 1003.

 

What am I doing wrong here?

 

Help appreciated.

 

Thanks in advance.

8 REPLIES 8
gfleming
Staff
Staff

Can you clarify what you mean about the docs proposing to use the admin GUI port? I see port 1003 in the docs as you referenced:

 

Screenshot 2023-03-31 at 09.46.00.png

Cheers,
Graham
dclabs

What I mean is that the guide shows the links pointing at the firewall IP address and the default captive portal port (1003), when I do that step on my firewall I’m shown the IP address and the administration GUI port 

gfleming

OK yes that's weird. Try changing it to 1003? It should be 1003 by default...

Cheers,
Graham
dclabs

I did but I get no response on port 1003, as if no service is listening on that port

ddg
New Contributor

I remember having issues with the same, things have changed, all should be https now, so a domain with valid certificate is required for communication with Azure AD (Entra). :)

Julien87
Contributor II

Hi,

I had not seen this feature. I will test it next week.

Best regards

 

 

Julien
Julien
Julien87

Hi,

 

you can check if you have the port 1003 in those parameters.

In my lab, I have the portal that opens and authenticates my user.

 

I just have an authentication problem on the fortinet side. I did not have time to diagnose this point.

 

 

 

config system global
    set auth-https-port 1003
end

 

config user saml

    edit "NAME_SAML"

        set entity-id "https://172.16.3.15:1003/saml/metadata"

        set single-sign-on-url "https://172.16.3.15:1003/saml/login"

        set single-logout-url "https://172.16.3.15:1003/saml/logout"

Julien
Julien
ddg
New Contributor

There are so many thinks dat need to be correct.. i have been working all night on this, many challenges, and just got it working..! One of my issue i used the port from ssl-vpn, that also does saml authentication just not as it should with the captive portal. that did not seem to be active by default, got it working with the "set auth-https-port 1003".


i think you should get started with using a domain with certificate. I used the dynamic dns with Lets encrypt. And many things will follow to get the internal dns right.. :)

 

config firewall auth-portal
    set portal-addr "captiveportal.domain.com"
end

 

config user setting
    set auth-cert (lookup your domain cert)
end

 

Was also testing before deploying it for a customer ;)

 

Greets,

Dennis

Top Kudoed Authors