Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
benKettner
New Contributor

SOLVED: Fortigate replacing IDP Certificate on SAML SSO with Captive Portal

 

I am trying to get SSO for my WIFI with Azure AD. 

I created an Azure Enterprise Application and assigned Users. 

I set up SSO in Fortigate.

I created a usergroup in Fortigate.

I created Policies to use that group for Wifi access

I added that group to the SSID

I set the Captive Portal to Disclaimer (for debug reasons) and when I accept the disclaimer, I am forwarded to login.microsoft.com - but there I get a certificate error because for some reason, Fortigate seems to replace the IDP certificate (that I of course added to the appliance) with the Fortigate Factory Certificate. I am at a loss here as I do not understand, where and why the certificate gets replaced... Can't find anything in the forums or anywhere online, I have been searching for 3 days now... 

6 REPLIES 6
benKettner
New Contributor

 

Here's a screenshot of the problem I am facing. This is where I am redirected after accepting the disclaimer in the captive portal...

saml_error.png

 

hbac
Staff
Staff

Hi @benKettner,

 

Can you check which certificate you are using? Looks like you are using self-signed certificate for captive portal. 


config user setting

show full

 

Regards, 

benKettner
New Contributor

Thanks for getting back to me. This is the output of the user settings: 

 

saml_user_settings.png

hbac

Hi @benKettner,

 

Can you set the certificate as follows:

 

config user setting

set auth-ca-cert "Fortinet_CA_SSL"

end

 

You can refer to this article at step 7: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Wireless-Authentication-using-SAML-Credent...

 

Regards, 

benKettner

Unfortunately that did not change anything except that the cert is now set in the user settings. 

benKettner
New Contributor

The problem was solved in a support call today. The solution was that the policy that contained the MS SSO URLs as Addresses and was Portal Exempt did not work - we changed it to "Services Azure" and then SSO started working. Weird, that was the last place I would have looked for the problem... 

Top Kudoed Authors