Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mredus
New Contributor

SSL-VPN SAML SSO with Azure AD

 

Hello,

I have a FortiGate 60E appliance on which I am trying to enable SAML sign-on for the SSL-VPN portal. I have followed the steps in Fortinet's guide, as well as verifying everything using Microsoft's guide. SAML SSO does technically work, but it authenticates everyone as the "azure" user. Here are my configs:

FortiGate Side:

FW (saml) # show full
config user saml
    edit "azure"
        set cert "{CERT}"
        set entity-id "https://{FQDN}:8443/remote/saml/metadata";
        set single-sign-on-url "https://{FQDN}:8443/remote/saml/login";
        set single-logout-url "https://{FQDN}:8443/remote/saml/logout";
        set idp-entity-id "https://sts.windows.net/{GUID}";
        set idp-single-sign-on-url "https://login.microsoftonline.com/{GUID}/saml2";
        set idp-single-logout-url "https://login.microsoftonline.com/{GUID}/saml2";
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
    next
end
 edit "AAD-{Group}"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "azure"
        config match
            edit 1
                set server-name "azure"
                set group-name "{GUID}"
            next
        end
    next

On the Azure side:

Basic SAML Settings

Identifier (Entity ID) - https://{FQDN}:8443/remote/saml/metadata
Reply URL (Assertion Consumer Service URL) - https://{FQDN}:8443/remote/saml/login
Sign on URL - https://{FQDN}:8443/remote/saml/login
Logout Url (Optional) - https://{FQDN}:8443/remote/saml/logout

Attributes and Claims

givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
username user.userprincipalname
group user.groups
name user.userprincipalname 
Unique User Identifier user.userprincipalname

 

 

Again, the whole SSO process works, but the user is just being signed in to the FortiGate as "azure". Through some debug commands (as well as a browser plugin that captures SAML conversations) I can see that the user's identification is being passed to the FortiGate by Azure. Any help here is appreciated.

mredus_1-1668717454094.png

 

1 Solution
kiri
Staff
Staff

Hi mredus,

Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:

716622 [b087] All SSLVPN users logged in via SAML have the same login username

It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues

What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.

Have you found a solution? Then give your helper a "Like" and mark the solution.

View solution in original post

2 REPLIES 2
kiri
Staff
Staff

Hi mredus,

Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:

716622 [b087] All SSLVPN users logged in via SAML have the same login username

It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues

What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.

Have you found a solution? Then give your helper a "Like" and mark the solution.

mredus
New Contributor

Thank you for the reply, we are indeed running a slightly older firmware (6.2.3:1066). We had suspicions that a firmware update would fix this but just haven't had the opportunity to bring the firewall down to patch it yet. I'm glad to see that that is actually hopefully the case. 

 

Thanks again!

Labels
Top Kudoed Authors