Hello,
I have a FortiGate 60E appliance on which I am trying to enable SAML sign-on for the SSL-VPN portal. I have followed the steps in Fortinet's guide, as well as verifying everything using Microsoft's guide. SAML SSO does technically work, but it authenticates everyone as the "azure" user. Here are my configs:
FortiGate Side:
FW (saml) # show full
config user saml
edit "azure"
set cert "{CERT}"
set entity-id "https://{FQDN}:8443/remote/saml/metadata";
set single-sign-on-url "https://{FQDN}:8443/remote/saml/login";
set single-logout-url "https://{FQDN}:8443/remote/saml/logout";
set idp-entity-id "https://sts.windows.net/{GUID}";
set idp-single-sign-on-url "https://login.microsoftonline.com/{GUID}/saml2";
set idp-single-logout-url "https://login.microsoftonline.com/{GUID}/saml2";
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
next
end
edit "AAD-{Group}"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "azure"
config match
edit 1
set server-name "azure"
set group-name "{GUID}"
next
end
next
On the Azure side:
Basic SAML Settings
Identifier (Entity ID) - https://{FQDN}:8443/remote/saml/metadata
Reply URL (Assertion Consumer Service URL) - https://{FQDN}:8443/remote/saml/login
Sign on URL - https://{FQDN}:8443/remote/saml/login
Logout Url (Optional) - https://{FQDN}:8443/remote/saml/logout
Attributes and Claims
givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
username user.userprincipalname
group user.groups
name user.userprincipalname
Unique User Identifier user.userprincipalname
Again, the whole SSO process works, but the user is just being signed in to the FortiGate as "azure". Through some debug commands (as well as a browser plugin that captures SAML conversations) I can see that the user's identification is being passed to the FortiGate by Azure. Any help here is appreciated.
Solved! Go to Solution.
Hi mredus,
Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:
716622 [b087] All SSLVPN users logged in via SAML have the same login username
It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues
What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.
Have you found a solution? Then give your helper a "Like" and mark the solution.
Hi mredus,
Your config looks fine.
Maybe you're running into a known issue?
I quickly checked and there seem to be one matching your description:
716622 [b087] All SSLVPN users logged in via SAML have the same login username
It's fixed already in 6.2.10:1245, 6.4.7:1890, 7.0.1:0127
https://docs.fortinet.com/document/fortigate/6.2.10/fortios-release-notes/289806/resolved-issues
What's the firmware version you're running?
Upgrade to one of these 3 or newer, that should fix it.
Have you found a solution? Then give your helper a "Like" and mark the solution.
Thank you for the reply, we are indeed running a slightly older firmware (6.2.3:1066). We had suspicions that a firmware update would fix this but just haven't had the opportunity to bring the firewall down to patch it yet. I'm glad to see that that is actually hopefully the case.
Thanks again!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.