Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Systeme
New Contributor

Created on ‎06-06-2023 06:48 AM

SSL VPN page not loading when configured with SSO SAML

Hi everyone !

 

I am currently setting up SAML SSO with Azure AD to connect to the SSL VPN (I am using fortios 7.0.11). So I followed these steps : 

 

I created an application on Azure AD, and I specified it the fortigate information (as specified by the fortigate) : 

config azure 1.png

 

The redacted text is an FQDN pointing to my VPN (a realm with a virtual-host is of course created)

 

Then I added the following claims to Azure : 

claim.png

 

From here I added the information provided by Azure to the Fortigate : 

configure fortigate.png

I've shorten the url so the end is visible.

 

Then I created a group containing my SSO connector : 

group sso.png

And linked it to my VPN portal : 

portail vpn.png

 

Finally, I added a user to the Azure AD application.

 

From here I have two different result  : 

 

From Azure AD

When I click the "Test connection" button I am automatically redirected to this page : 

 

error access.png

 

 

 

 

 

 

 

 

And from the fortigate going on the FQDN or on the adress https://<ip-adress-of-vpn>/sso produce the same result, a blank page loading for around 20 seconds.

 

So I enabled debug log :

error in console.png

 

I can't spot the problem, do anyone have an idea to help me please ? 

 

Thank you for your help and have a great day.

 

 

Labels:
6072
0 Kudos
3 REPLIES 3
Debbie_FTNT
Staff
Staff

Created on ‎06-06-2023 08:52 AM

Hey Systeme,

 

the 'failed to create SP' error usually means something with the SP settings in FGT vs settings in Azure doesn't line up; the URLs are missing bits somewhere, probably.

In my experience, please check the following:

 

- if you use virtual hosts for SSLVPN realm the URL should be sso.<vpn>:<port>, not <vpn>:<port>/sso

-> this also means the SP metadata, login and logout URL in FortiGate needs to be adjusted to use sso.<vpn>/remote/saml/metadata, etc

 

- FortiGate does auto-generate the URLs with '?acs' and '?sls' automatically, but I found that this sometimes causes issues; replacing them with 'remote/saml/login' and 'remote/saml/logout' can also help

 

Double-check the URLs in both Azure and FortiGate a second and third time; a single '/' out of place can break the whole thing.

 

If the issues still persist, you could consider opening a ticket with Technical Support to have a support engineer go over all details with you and dig deeper into the SAML debug.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
6050
Systeme
New Contributor

Created on ‎06-07-2023 01:24 AM

Hello, 

Thank you for your answer. 

I verified fhe information between Azure and my fortigate and they where the same.

I tried to correct as you suggest it the connection url from '?acs' to /saml/login but it do not works. 

 

I am going to create a ticket, and I'll post the solution (or where my mistake is).

 

 

6026
0 Kudos
peppolax
New Contributor
In response to Systeme

Created on ‎09-16-2024 07:49 AM

Hi,

did you solve the problem?, if yes, can you share the solution? i have the exact same problem

Thks

3437
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.