Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leo-ehk
New Contributor

Created on ‎11-16-2023 04:42 AM Edited on ‎02-26-2024 05:39 AM By Community Manager

SAML Configuration for Fortigate SSL VPN SSO - Invalid HTTP request.

Hello community,

 

we would like to configure our fortigate 100F SSLVPN Access with SAML and MS Entra.

Unfortunately, we get the following prompt 

 

SAML-FortiIssue.PNG

We use the following MS Node:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial

Is it important, that we use a entra Plan or is the free Version okay? We use M365 business St. 

Labels:
11228
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-16-2023 06:44 AM

SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.

 

The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.

[ corrections always welcome ]

View solution in original post

11077
22 REPLIES 22
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-16-2023 06:44 AM

SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.

 

The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.

[ corrections always welcome ]
11078
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 09:39 AM

Okay, many thanks, that is for me a important notice!

Unfortunately, if i log in with SAML i get the next issue:

Do you have an idea for that, too.

nextissue.PNG

5054
0 Kudos
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-17-2023 02:28 AM

This will be more complex to troubleshoot. We'd need to see the following debugs:
diag debug reset

diag debug console timestamp enable

diag debug app sslvpn -1

diag debug app saml -1
diag debug enable

#=> reproduce issue now

diag debug disable

diag debug reset

 

And we would also need to review the current configuration (ssl-vpn configuration, groups, SAML server, firewall policies).

 

Since all of this will likely contain some sensitive information, it may be better to continue this in a support ticket with the TAC.

[ corrections always welcome ]
5043
0 Kudos
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-20-2023 06:05 AM

Thank you for all. 

5019
0 Kudos
sbaltic
New Contributor
In response to pminarik

Created on ‎12-02-2023 11:17 PM

With version v7.4.1 build2463 is not working at all ... usually the problem is invalid HTTP request. Already tired via cli and manually created app in Entra or with wizard and FortiGate SSL VPN app in entra ... 

SB
SB
4901
0 Kudos
sbaltic
New Contributor

Created on ‎12-02-2023 11:33 PM

Hello. 

this is my config on FG and Entra ID and is not working ... invalid HTTP request

Screenshot 2023-12-03 at 8.31.05 AM.png

 

Screenshot 2023-12-03 at 8.25.37 AM.png

SB
SB
4898
0 Kudos
pminarik
Staff
Staff
In response to sbaltic

Created on ‎12-05-2023 01:23 AM

I would start by removing the ":443" part from all URLs on all sides. That's the default port for HTTPS, so explicitly including it like that is weird. Could be a cause of some issues.

 

You should also most likely remove the "set cert" part in the FGT config. That is used for signing requests sent by the FortiGate, and by default AzureAD/Entra doesn't ask for this. (nor do I see any indication in your screenshots that you've manually enabled requiring SP requests to be signed)

[ corrections always welcome ]
4850
0 Kudos
sbaltic
New Contributor
In response to pminarik

Created on ‎12-05-2023 01:32 AM

I removed set cert and removed 443, but still got error "Invalid HTTP request"

SB
SB
4848
0 Kudos
pminarik
Staff
Staff
In response to sbaltic

Created on ‎12-05-2023 01:38 AM

Was the URL modified both in FGT config and in Entra's config? If yes:

Are we talking about the same error as seen here? https://community.fortinet.com/t5/Support-Forum/SAML-Configuration-for-Fortigate-SSL-VPN-SSO-Invalid...

 

My last tip would be to check how long the whole flow takes. If it's a significant amount of time, not a couple of seconds, you may consider increasing some timers:

config vpn ssl settings

set login-timeout 60 # or 90

end


Further steps would require checking SSL-VPN debugs and browser network debugger, which is better suited for a ticket with the TAC, given the sensitive information those will contain.

[ corrections always welcome ]
4843
0 Kudos
sbaltic
New Contributor
In response to pminarik

Created on ‎12-05-2023 01:41 AM

on both sites yes and login timeout is set to 180, I could try with 60 np

 

SB
SB
4841
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.