Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Magdalena
New Contributor III

SSL VPN with SAML, can't connect to Authenticator

I am trying to set up a SSL VPN in my FortiEMS Cloud to connect to the Network using SAML and FortiAuthenticator.

The Client is able to connect to the FortiGate Remote-Gateway but whenever i try to connect the FortiClient with the vpn i get an error message saying authenticator took too long to answer.

I can't ping the FQDN of the authenticator on the client and i don't know why.

I havent configured SAML on the FortiEMS but that shouldnt be needed when the FortiGate is acting as the IdP, right?

Does anyone know where the mistake might be and how to solve it?

 

3 REPLIES 3
funkylicious
SuperUser
SuperUser

Did not do much of these setups but I assume that it would resemble this guide as for the setup, the only difference being that the RemoteAccess/SSLVPN profile is pushed from EMS.

https://docs.fortinet.com/document/forticlient/7.4.2/administration-guide/402514/saml-support-for-ss...

FortiAuthenticator should be accesible in order for the user to be displayed the login page. FortiGate acts as a SP while FAC is the IdP.

"jack of all trades, master of none"
"jack of all trades, master of none"
Magdalena

Thanks for the reply, I configured an SSL-VPN with SAML activated on the EMS and pushed it to the Client.

The connection works and the Client gets connected to the FortiGate but it seems like the FortiGate doesnt manage to connect to the FAC. 
I just don't know if its the EMS, FortiGate or the FAC that has a wrong configuration.

Debbie_FTNT
Staff
Staff

Hey Magdalena,

you have to make sure that the FortiClient can reach FortiAuthenticator WITHOUT a VPN; you have to make it publicly available.

SAML works by FortiClient connecting to FortiGate, and FortiGate saying 'no, connect to FortiAuthenticator at this <URL/IP> and authenticate, then come back', essentially.

FortiGate does NOT proxy the authentication and connect to FortiAuthenticator itself in this instance!

 

So:

- FortiAuthenticator must be reachable from wherever the FortiClient is, presumably public internet

- It needs to be configured with a hostname or public IP that FortiClient can resolve/connect to for authentication

- once FortiClient can connect to FortiAuthenticator, it should present a login screen (assuming SAML has been set up properly), and after logging in, FortiAuthenticator should redirect the Client back to FortiGate to continue with VPN tunnel setup

 

I hope this helps!

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors