Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL VPN page not loading when configured with SSO SAML

Hi everyone !


I am currently setting up SAML SSO with Azure AD to connect to the SSL VPN (I am using fortios 7.0.11). So I followed these steps : 


I created an application on Azure AD, and I specified it the fortigate information (as specified by the fortigate) : 

config azure 1.png


The redacted text is an FQDN pointing to my VPN (a realm with a virtual-host is of course created)


Then I added the following claims to Azure : 



From here I added the information provided by Azure to the Fortigate : 

configure fortigate.png

I've shorten the url so the end is visible.


Then I created a group containing my SSO connector : 

group sso.png

And linked it to my VPN portal : 

portail vpn.png


Finally, I added a user to the Azure AD application.


From here I have two different result  : 


From Azure AD

When I click the "Test connection" button I am automatically redirected to this page : 


error access.png









And from the fortigate going on the FQDN or on the adress https://<ip-adress-of-vpn>/sso produce the same result, a blank page loading for around 20 seconds.


So I enabled debug log :

error in console.png


I can't spot the problem, do anyone have an idea to help me please ? 


Thank you for your help and have a great day.




Hey Systeme,


the 'failed to create SP' error usually means something with the SP settings in FGT vs settings in Azure doesn't line up; the URLs are missing bits somewhere, probably.

In my experience, please check the following:


- if you use virtual hosts for SSLVPN realm the URL should be sso.<vpn>:<port>, not <vpn>:<port>/sso

-> this also means the SP metadata, login and logout URL in FortiGate needs to be adjusted to use sso.<vpn>/remote/saml/metadata, etc


- FortiGate does auto-generate the URLs with '?acs' and '?sls' automatically, but I found that this sometimes causes issues; replacing them with 'remote/saml/login' and 'remote/saml/logout' can also help


Double-check the URLs in both Azure and FortiGate a second and third time; a single '/' out of place can break the whole thing.


If the issues still persist, you could consider opening a ticket with Technical Support to have a support engineer go over all details with you and dig deeper into the SAML debug.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor


Thank you for your answer. 

I verified fhe information between Azure and my fortigate and they where the same.

I tried to correct as you suggest it the connection url from '?acs' to /saml/login but it do not works. 


I am going to create a ticket, and I'll post the solution (or where my mistake is).



Top Kudoed Authors