SSL VPN and azure saml not permitted

MaeIstrom · ‎03-13-2025

I'm attempting to set up Azure AD authentication and I have followed the instructions at https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/ to the letter up until the point where it talks about "FortiClient EMS setup" as AFAIK we don't have that and I can't find any reference to it. Regardless it seems to be talking to the azure app as when I login as an azure user I see in the logs

[fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure-saml] in group [ALM-Staff]

but I then get

login_failed:391 user[username@domain.com],auth_type=1 failed [sslvpn_login_permission_denied]

Now ALM-Staff is a local user group that can already login to the VPN (which would've been nice to know when I was setting up the groups). Following the guide I set up azure-saml and SAML_AZ_ALL using something like

config user saml
    edit "azure-saml"
        set cert "Fortinet_Factory"
        set entity-id "https://example-company.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://example-company.com:10443/remote/saml/login/"
        set single-logout-url "https://example-company.com:10443/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
    next
end

and

config user group
    edit "SAML_AZ_ALL"
        set member "azure-saml"
        config match
            edit 1
                set server-name "azure-saml"
                set group-name "YYY-a79a-40f0-a2df-XXX"
            next
        end
    next
end

What more do I need to do to tell the fortinet appliance to use saml? Is the existing login scheme overriding it? I just get a fortinet login page saying "Error: Permission denied" and at no point does it bring up the azure login.

MZBZ · ‎03-15-2025

Have u selected SSO(=SAML) for the client side vpn profile?!

M. B.

MaeIstrom · ‎03-18-2025

Where do I find the client side vpn profile? I can't see anything resembling that phrase in the fortinet menu. It's running V7.012 if that's relevant.

pminarik · ‎03-18-2025

You should review the SAML response when it is received by the FortiGate from the IdP, and check if it contains the group's UUID as expected.

enable samld debug output:

di de app saml -1

di de app sslvpn -1

di de enable

Reproduce the authentication attempt (with FortiClient or webmode)
Search through the output for the dump of the SAML reply. It should be looong XML output starting with something like <samlp:Response ...
You can paste it into some text editor of your choice and format it properly (add newlines and indentation), and then search for the user/group attributes and validate their contents.

[ corrections always welcome ]

MaeIstrom · ‎03-18-2025

Is there a way to modify those commands to only show output from my IP? The router is being hammered with bots trying to login and the debugging output is constantly scrolling off screen. I was able to slow it down by firewalling the vpn off to my machine which was how I got to find out there was existing vpn with users when the angry phone calls started coming in. But in that brief period of looking at the logs I didn't see any XML output or SAML replies. The only line that even mentioned saml was

[fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure-saml] in group [ALM-Staff]

There's also no record of any connections in the azure logs.

MZBZ · ‎03-18-2025

sslvpn daemon logs can be filtered, but saml and fnband have no log filter:

SSL VPN disconnection issues when connect... - Fortinet Community

M. B.

SSL VPN and azure saml not permitted

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website