Hi
My test environment is: FortiGate 61E with firmware 6.4.4.
I have successfully configured SSO for administrators using Fabric Setup and this part works perfectly. Now I would like to continue this successful story by adding SAML authentication to SSL VPN for other mortals.
My configuration: config user saml
edit "ssl-azure-saml" set cert "Fortinet_Factory" set entity-id "http://_____IP:PORT_____/metadata/" set single-sign-on-url "https://_____IP:PORT_____/saml/?acs" set single-logout-url "https://_____IP:PORT_____/saml/?sls" set idp-entity-id "https://sts.windows.net/___IdP_id______/" set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2" set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" set idp-cert "REMOTE_Cert_2" set user-name "username" next end config user group edit "saml_grp" set member "ssl-azure-saml" next end config vpn ssl settings set ssl-min-proto-ver tls1-1 set servercert "Fortinet_Factory" set idle-timeout 0 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 20443 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "No_Access" config authentication-rule edit 1 set groups "VPN_Client" set portal "full-access" next edit 2 set groups "saml_grp" set portal "full-access" next end end[
config system global set remoteauthtimeout 60 end
/code]
But when I try to connect using SAML I get error.
Please help :)
So the problem was with endpoints
config user saml edit "ssl-azure-saml" set cert "Fortinet_Factory" set entity-id "https://_____IP:VPN_PORT_____/remote/saml/metadata"
set single-sign-on-url "https://_____IP:VPN_PORT_____/remote/saml/login" set single-logout-url "https://_____IP:VPN_PORT_____/remote/saml/logout" set idp-entity-id "https://sts.windows.net/___IdP_id______/"
set idp-single-sign-on-url "https://login.microsoftonline.com/___IdP_id______/saml2" set idp-single-logout-url "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" set idp-cert "REMOTE_Cert_2" <----- downloaded cert was a different that was expected, I get it from SAML request set user-name "username" next end
I did not added a group saml to correct policy (if you open a web access page and there is no "Single Sign-On" then problem is with Policy) - WTF
Helpful links
We hit the Invalid HTTP request issue when we setup the Azure SAML. We had SSLVPN configured and already in production use. We re-used the same users group, because we had many policy attached to the groups. We had to log ticket to Fortinet to get this resolve. The fix was go to the firewall policy and edit one of the policy. Remove the user group and add a dummy group, then hit apply. Then go back to the same policy and reverse the change.
Fortinet support said this simple exercise somehow refreshed the SAML / SSLVPN process.
Removing the SAML group from my firewall policy, saving, then re-adding the group fixed the Invalid HTTP request for me as well. Thanks for posting your solution!
Created on 08-12-2022 11:16 PM Edited on 08-12-2022 11:17 PM
Saved my bacon! Was pulling my hair out forever. What a silly issue🤦🏻
Thank you for posting this up.
Hi @goenacc, I just came across this post and thought I would share if it had not been done from your TAC ticket, but this is a known issue investigated under BUG ID 705880 - Update user group with SAML user will update firewall policy, which is fixed in FortiOS 7.0.7 and 7.2.2 when released.
For clarity, the description of the BUG is below:
Update empty/existing group with SAML user could not trigger SSL VPN firewall policy refresh, which cause the detection of SAML user not successful in later usage.
I understand your issue has been resolved, but this may help others searching the community.
@CarlosColombini, thanks for posting the BUG ID and fixed release version. I would not have known about it if I don't specifically look for it in the release note (when released).
When you integrate FortiGate SSL VPN with Azure AD, you can:
Use Azure AD to control who can access FortiGate SSL VPN.
Enable your users to be automatically signed in to FortiGate SSL VPN with their Azure AD accounts.
Manage your accounts in one central location: the Azure portal.
To get started, you need the following items:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
A FortiGate SSL VPN with single sign-on (SSO) enabled.
Greeting,
Rachel Gomez
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.