Hello community,
we would like to configure our fortigate 100F SSLVPN Access with SAML and MS Entra.
Unfortunately, we get the following prompt
We use the following MS Node:
https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
Is it important, that we use a entra Plan or is the free Version okay? We use M365 business St.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.
The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.
The /remote/saml/login URL is not intended to be directly accessed by a user, as it expects to receive some atttributes, automatically generated by the SP/IdP.
You should simply try connecting to the bare URL , such as: https://myvpn.com:<port> . From there, you should either be automatically redirected to the IdP's login page (if using exclusively SAML for VPN authentication), or offered a chance to enter credentials or click a button to initiate the SAML process (=redirects to the IdP to authenticate).
Hello pminarik,
thanks for your fast answer. I get the same problem on the FortiClient.
Created on 11-16-2023 05:25 AM Edited on 11-16-2023 05:26 AM
Can you share the configuration of the VPN profile on the FortiClient? (you can hide the IP or domain name, but leave everything else visible, including any /url/paths/used ).
On top of that, it would be useful to review the SAML config on the FortiGate, for which you can share the output of "show user saml". (again feel free to hide the domain names and IPs).
Whats the right way to share or upload the config file?
Created on 11-16-2023 06:11 AM Edited on 11-16-2023 06:11 AM
A screenshot of these config snippets is good enough.
I'd leave full backups for a potential support ticket, not the best idea to share them on a public forum.
For the FortiClient config, something like this should suffice:
Now it's working, but my question is, is it important to have the Azure P1 or P2 plan? Or does SAML Auth also work without a security group in Azure?
Hello pminarik i think the problem came through a false config with the config user grou. The set member "azure" was not set. Is it important, that we use the security group in Azure or is that optional?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.