Good day,
I am new to FortiGate and having some trouble to setup the SSL portal.
First I used FW 6.2.7 setting up the SSL portal with http://docs.fortinet.com/document/fortigate/6.2.0/azure-cookbook/584456/configuring-saml-sso-login-f....
This works perfect but I had some trouble to open external URLs from the SSL portal.
I opened a ticket and support confirmed there is bug in FW 6.2.7 and I can go to FW 6.4.5. Ok so I updated to FW 6.4.5. But now SSL Portal is not working anymore. I get a <ERR_EMPTY_RESPONSE> from my browser. I tried to debug the login with <diagnose debug application sslvpn -1> and saw this error:
262:root:6]rmt_web_auth_info_parser_common:460 no session id in auth info [262:root:6]rmt_web_get_access_cache:797 invalid cache, ret=4103
But I don't what it means and how I should proceed. Has anyone had a error like this before and can give me some advice.
Many thanks,
MaDe
I am also getting this problem, also on 6.4.5
If you go to the login page and click SSO does it go straight in afterwards?
Hi, yes I got it working on 6.4.5 but switched back to 6.2.8. I used this guide <<Implementation Guide: FortiGate SSL VPN with Microsoft Azure SAML 2FA>>.
My problem was a wrong URL syntax. Brgds, MaDe
Hiya,
Just wondered which of the fields was the issue for you?
Cheers
Jon
Hi, this are my notes:
edit "azure_sso"
set cert "wild.your_domain.com"
set entity-id "https://your_domain.com/remote/saml/metadata"
set single-sign-on-url "https://your_domain.com/remote/saml/login/"
set single-logout-url "https://your_domain.com/remote/saml/logout/"
set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-cert "azure-sso"
set user-name "username"
set group-name "group"
config user group
edit "azure_sso_portal"
set member "azure_sso"
config match
edit 1
set server-name "azure_sso"
set group-name "your_group_object_id"
next
end
Hope it helps. Or you mean open external URLs from the SSL portal?
Thank you MaDe - exactly the same with me. Hmmmm!
I downgrade from 6.4.5 to 6.2.8 because there was a bug.
662042 The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.
Just for information... I found that it was a timeout causing the ERR_EMPTY_RESPONSE error.
In the Fortinet TID (not the videos) it says:
config system global set remoteauthtimeout 60end(default on my FG was 5) Which neatly ties up with "[325:root:1da3]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired." in the diag output. Problem solved. Fortinet TID: https://docs.fortinet.com...-ad-acting-as-saml-idpPerfect. You are using AZURE MFA?
I am :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.