Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MaDe
New Contributor

SSL WebPortal Mode | Login Failure

Good day,

I am new to FortiGate and having some trouble to setup the SSL portal. 

First I used FW 6.2.7 setting up the SSL portal with  http://docs.fortinet.com/document/fortigate/6.2.0/azure-cookbook/584456/configuring-saml-sso-login-f...

This works perfect but I had some trouble to open external URLs from the SSL portal.

I opened a ticket and support confirmed there is bug in FW 6.2.7 and I can go to FW 6.4.5. Ok so I updated to FW 6.4.5. But now SSL Portal is not working anymore. I get a <ERR_EMPTY_RESPONSE> from my browser. I tried to debug the login with <diagnose debug application sslvpn -1> and saw this error: 

262:root:6]rmt_web_auth_info_parser_common:460 no session id in auth info [262:root:6]rmt_web_get_access_cache:797 invalid cache, ret=4103

But I don't what it means and how I should proceed. Has anyone had a error like this before and can give me some advice.

 

Many thanks,

MaDe 

11 REPLIES 11
Jond
New Contributor III

I am also getting this problem, also on 6.4.5

 

If you go to the login page and click SSO does it go straight in afterwards?

 

 

MaDe
New Contributor

Hi, yes I got it working on 6.4.5 but switched back to 6.2.8. I used this guide <<Implementation Guide: FortiGate SSL VPN with Microsoft Azure SAML 2FA>>.

My problem was a wrong URL syntax. Brgds, MaDe

Jond
New Contributor III

Hiya,

Just wondered which of the fields was the issue for you?

Cheers

Jon

MaDe
New Contributor

Hi,  this are my notes:

edit "azure_sso"
set cert "wild.your_domain.com"
set entity-id "https://your_domain.com/remote/saml/metadata"
set single-sign-on-url "https://your_domain.com/remote/saml/login/"
set single-logout-url "https://your_domain.com/remote/saml/logout/"
set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-cert "azure-sso"
set user-name "username"
set group-name "group"
config user group
edit "azure_sso_portal"
set member "azure_sso"
config match
edit 1
set server-name "azure_sso"
set group-name "your_group_object_id"
next
end

Hope it helps. Or you mean open external URLs from the SSL portal?

Jond
New Contributor III

Thank you MaDe - exactly the same with me.  Hmmmm!

MaDe
New Contributor

I downgrade from 6.4.5 to 6.2.8 because there was a bug.

 

662042 The https://outlook.office365.com and https://login.microsoft.com websites cannot be accessed in the SSL VPN web portal.

 

 

Jond
New Contributor III

Just for information... I found that it was a timeout causing the ERR_EMPTY_RESPONSE error.

 

In the Fortinet TID (not the videos) it says:

 

config system global

   set remoteauthtimeout 60

end

(default on my FG was 5)

 

Which neatly ties up with "[325:root:1da3]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired." in the diag output.

 

Problem solved.

 

Fortinet TID: https://docs.fortinet.com...-ad-acting-as-saml-idp

 

MaDe
New Contributor

Perfect.  You are using AZURE MFA?

Jond
New Contributor III

I am :)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors