Hello community,
we would like to configure our fortigate 100F SSLVPN Access with SAML and MS Entra.
Unfortunately, we get the following prompt
We use the following MS Node:
https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
Is it important, that we use a entra Plan or is the free Version okay? We use M365 business St.
Solved! Go to Solution.
SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.
The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.
SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.
The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.
Okay, many thanks, that is for me a important notice!
Unfortunately, if i log in with SAML i get the next issue:
Do you have an idea for that, too.
This will be more complex to troubleshoot. We'd need to see the following debugs:
diag debug reset
diag debug console timestamp enable
diag debug app sslvpn -1
diag debug app saml -1
diag debug enable
#=> reproduce issue now
diag debug disable
diag debug reset
And we would also need to review the current configuration (ssl-vpn configuration, groups, SAML server, firewall policies).
Since all of this will likely contain some sensitive information, it may be better to continue this in a support ticket with the TAC.
Thank you for all.
With version v7.4.1 build2463 is not working at all ... usually the problem is invalid HTTP request. Already tired via cli and manually created app in Entra or with wizard and FortiGate SSL VPN app in entra ...
Hello.
this is my config on FG and Entra ID and is not working ... invalid HTTP request
I would start by removing the ":443" part from all URLs on all sides. That's the default port for HTTPS, so explicitly including it like that is weird. Could be a cause of some issues.
You should also most likely remove the "set cert" part in the FGT config. That is used for signing requests sent by the FortiGate, and by default AzureAD/Entra doesn't ask for this. (nor do I see any indication in your screenshots that you've manually enabled requiring SP requests to be signed)
I removed set cert and removed 443, but still got error "Invalid HTTP request"
Was the URL modified both in FGT config and in Entra's config? If yes:
Are we talking about the same error as seen here? https://community.fortinet.com/t5/Support-Forum/SAML-Configuration-for-Fortigate-SSL-VPN-SSO-Invalid...
My last tip would be to check how long the whole flow takes. If it's a significant amount of time, not a couple of seconds, you may consider increasing some timers:
config vpn ssl settings
set login-timeout 60 # or 90
end
Further steps would require checking SSL-VPN debugs and browser network debugger, which is better suited for a ticket with the TAC, given the sensitive information those will contain.
on both sites yes and login timeout is set to 180, I could try with 60 np
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.