Hey all,
Fortigate 81f with 7.0.14
Attempting to get SSLVPN SSO working with Microsoft Entra ID. The process is failing before getting any type of login prompt.
Testing from the FortiClient I get "The response from https://vpn.domain.com was invalid."
Testing from the Test option within Entra ID I get - Access Denied (from https://vpn.domain.com page)
I've double checked all the URL's between the Entra ID application and the saml config. The SSO group on the Fortigate is in the firewall policy.
Sanitised config:
config user saml
edit "Entra ID VPN"
set entity-id "http://vpn.domain.com/remote/saml/metadata/"
set single-sign-on-url "https://vpn.domain.com/remote/saml/?acs"
set single-logout-url "https://vpn.domain.com/remote/saml/?sls"
set idp-entity-id "https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
set digest-method sha256
next
SAML debug
samld_process_request [157]: Could not get resp_attrs: code=1, resp_attrs_len=0
gen_sp_server [325]: Failed to create SP
SSLVPN debug has this as the last entry before it fails.
2024-03-12 12:20:59 [405:root:1df9][fsv_found_saml_server_name_from_auth_lst:125] Found SAML server [Entra ID VPN] in group [FortigateVPNAccess]
Does anyone know where else to look to find the issue? With the Access Denied message, what was denied access by whom?
thanks
jc
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@jcrower.,
Please try the following URLs instead:
Entity ID: http://x.x.x.x/remote/saml/metadata/
single-sign-on-url: https://x.x.x.x/remote/saml/login
single-logout-url: https://x.x.x.x/remote/saml/logout
Regards,
Thanks for the reply @jimbey2, so the access denied is from the Fortigate?
When you say to re-create a new IPv4 Policy, do you mean the Firewall rule? I added the SSO group to the existing rule (we are using an ldap lookup at the moment to on-premises AD).
Hello @jcrower ,
Can you try reconfiguring your sp urls without a question mark?
config user saml
edit "Entra ID VPN"
set entity-id "http://vpn.domain.com/remote/saml/metadata/"
set single-sign-on-url "https://vpn.domain.com/remote/saml/acs"
set single-logout-url "https://vpn.domain.com/remote/saml/sls"
Hi @jcrower,
Please double check and verify URLs on both sides. FortiGate entiry ID starts with 'http' but on Azure, it shows 'https'.
Regards,
Thanks for the replies everyone.
I changed the URL's to match exactly:
I also created a new firewall policy (basically cloning the existing one, but with just the SSO group) and put it before our current working one. I'm not seeing any hits on it though when I attempt to log in.
I still get the same errors :(
There is something. Because of the M365 plan we are on, I cannot add groups to the User and groups area, only specific users. Will this change how it's configured, or if it will even work?
EDIT: that can't be the problem, the online instructions only state adding a user to that area. I have created a Security Group within Azure, have added that user to the Security Group and specified the Object ID of that group within the Frotigate SSO Group.
@jcrower.,
Please try the following URLs instead:
Entity ID: http://x.x.x.x/remote/saml/metadata/
single-sign-on-url: https://x.x.x.x/remote/saml/login
single-logout-url: https://x.x.x.x/remote/saml/logout
Regards,
Created on 04-11-2024 05:34 PM Edited on 04-11-2024 05:39 PM
Thanks @hbac, as simple as that! It's working... kind of.
It seems a bit buggy though. The Windows client seems to work fine (mostly).
I tested the Android client (Samsung A14 Android 14) and it first said it required Chrome which is annoying as I don't use Chrome. Anyway I 'enabled' Chrome, it takes me to the login screen, asks for the MFA sign in. I switch to the Authenticator, type in the number, switch back to the Forticlient and it just sits there with the Approve sign in request screen.
If I close and reopen Forticlient it goes back to the Forticlient login screen.
I have the same problem with the same FortiOS version and a very similar configuration.
I will try to find a solution, but if you found one please share it with me.
May I try to upgrade the FortiOS to 7.2.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.