Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Systeme
New Contributor

SSL VPN page not loading when configured with SSO SAML

Hi everyone !

 

I am currently setting up SAML SSO with Azure AD to connect to the SSL VPN (I am using fortios 7.0.11). So I followed these steps : 

 

I created an application on Azure AD, and I specified it the fortigate information (as specified by the fortigate) : 

config azure 1.png

 

The redacted text is an FQDN pointing to my VPN (a realm with a virtual-host is of course created)

 

Then I added the following claims to Azure : 

claim.png

 

From here I added the information provided by Azure to the Fortigate : 

configure fortigate.png

I've shorten the url so the end is visible.

 

Then I created a group containing my SSO connector : 

group sso.png

And linked it to my VPN portal : 

portail vpn.png

 

Finally, I added a user to the Azure AD application.

 

From here I have two different result  : 

 

From Azure AD

When I click the "Test connection" button I am automatically redirected to this page : 

 

error access.png

 

 

 

 

 

 

 

 

And from the fortigate going on the FQDN or on the adress https://<ip-adress-of-vpn>/sso produce the same result, a blank page loading for around 20 seconds.

 

So I enabled debug log :

error in console.png

 

I can't spot the problem, do anyone have an idea to help me please ? 

 

Thank you for your help and have a great day.

 

 

2 REPLIES 2
Debbie_FTNT
Staff
Staff

Hey Systeme,

 

the 'failed to create SP' error usually means something with the SP settings in FGT vs settings in Azure doesn't line up; the URLs are missing bits somewhere, probably.

In my experience, please check the following:

 

- if you use virtual hosts for SSLVPN realm the URL should be sso.<vpn>:<port>, not <vpn>:<port>/sso

-> this also means the SP metadata, login and logout URL in FortiGate needs to be adjusted to use sso.<vpn>/remote/saml/metadata, etc

 

- FortiGate does auto-generate the URLs with '?acs' and '?sls' automatically, but I found that this sometimes causes issues; replacing them with 'remote/saml/login' and 'remote/saml/logout' can also help

 

Double-check the URLs in both Azure and FortiGate a second and third time; a single '/' out of place can break the whole thing.

 

If the issues still persist, you could consider opening a ticket with Technical Support to have a support engineer go over all details with you and dig deeper into the SAML debug.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Systeme
New Contributor

Hello, 

Thank you for your answer. 

I verified fhe information between Azure and my fortigate and they where the same.

I tried to correct as you suggest it the connection url from '?acs' to /saml/login but it do not works. 

 

I am going to create a ticket, and I'll post the solution (or where my mistake is).

 

 

Labels
Top Kudoed Authors