Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leo-ehk
New Contributor

SAML Configuration for Fortigate SSL VPN SSO - Invalid HTTP request.

Hello community,

 

we would like to configure our fortigate 100F SSLVPN Access with SAML and MS Entra.

Unfortunately, we get the following prompt 

 

SAML-FortiIssue.PNG

We use the following MS Node:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial

Is it important, that we use a entra Plan or is the free Version okay? We use M365 business St. 

1 Solution
pminarik

SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.

 

The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.

[ corrections always welcome ]

View solution in original post

20 REPLIES 20
pminarik
Staff
Staff

The /remote/saml/login URL is not intended to be directly accessed by a user, as it expects to receive some atttributes, automatically generated by the SP/IdP.

 

You should simply try connecting to the bare URL , such as: https://myvpn.com:<port> . From there, you should either be automatically redirected to the IdP's login page (if using exclusively SAML for VPN authentication), or offered a chance to enter credentials or click a button to initiate the SAML process (=redirects to the IdP to authenticate). 

[ corrections always welcome ]
leo-ehk

Hello pminarik,

 

thanks for your fast answer. I get the same problem on the FortiClient.

SAML-FortiIssue2.PNG

 

pminarik

Can you share the configuration of the VPN profile on the FortiClient? (you can hide the IP or domain name, but leave everything else visible, including any /url/paths/used ).

On top of that, it would be useful to review the SAML config on the FortiGate, for which you can share the output of "show user saml". (again feel free to hide the domain names and IPs).

[ corrections always welcome ]
leo-ehk

16-11-2023 14-30-24.png

leo-ehk

Whats the right way to share or upload the config file?

pminarik

A screenshot of these config snippets is good enough.

I'd leave full backups for a potential support ticket, not the best idea to share them on a public forum.
For the FortiClient config, something like this should suffice:

 
 

fct.png

 

[ corrections always welcome ]
leo-ehk

16-11-2023 15-24-29.png

leo-ehk

Now it's working, but my question is, is it important to have the Azure P1 or P2 plan? Or does SAML Auth also work without a security group in Azure?

leo-ehk

Hello pminarik i think the problem came through a false config with the config user grou. The set member "azure" was not set. Is it important, that we use the security group in Azure or is that optional?16-11-2023 15-33-42.png

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors