Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Struggling to get FortiGate IPsec + SAML (Azure En...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Struggling to get FortiGate IPsec + SAML (Azure Entra ID) working — Phase 1 OK, SAML auth not comple
Hi everyone,
I’ve been fighting with this setup for the last two days and could really use some expert eyes.
I’m trying to deploy a FortiGate IPsec VPN using SAML (Azure Entra ID) for FortiClient connections — to replace our old SSL VPN.
The tunnel initiates fine, NAT-T is detected, and Phase 1 completes with a valid proposal.
But after that, I only see this in the debug logs — no actual user name, just a FortiClient UID block:
ike V=root:0:FCT_SAML:6005: received FCT data len = 290, data = 'VER=1 FCTVER=7.4.3.1790 UID=[REDACTED_CLIENT_UID] IP=[REDACTED_PRIVATE_IP] MAC=[REDACTED_MAC_ADDRESSES] HOST=[REDACTED_HOSTNAME] USER=[REDACTED_CLIENT_UID] OSVER=Microsoft Windows 11 Enterprise Edition, 64-bit (build 26100) REG_STATUS=0 '
SAML itself is configured and reachable:
set entity-id "https://remote.exampledomain.pt:4448/remote/saml/metadata/" set single-sign-on-url "https://remote.exampledomain.pt:4448/remote/saml/login" set single-logout-url "https://remote.exampledomain.pt:4448/remote/saml/logout" set idp-entity-id "https://sts.windows.net/[tenant-id]/" set idp-single-sign-on-url "https://login.microsoftonline.com/[tenant-id]/saml2" set idp-cert "[certname]" set adfs-claim enable set user-claim-type upn set group-claim-type group
Azure claims are:
- Unique User ID (NameID): user.userprincipalname
- group: user.groups
- username: user.userprincipalname
What works
Phase 1 negotiation
NAT-T detection
Certificate chain (Sectigo wildcard)
SAML redirect reachable via browser
What doesn’t
FortiClient never shows the SAML login page
Debug log never shows a UPN or group — only the UID in FortiClient telemetry
Authentication never completes (no EAP_SUCCESS or assigned IP)
What I’ve tried
- Rebuilt SAML object twice
- Matched claim names (upn, group) per docs
- Tested with and without ADFS claim mode
- Checked UDP 500/4500 flow — confirmed
- Verified wildcard cert chain
At this point I suspect the SAML → EAP handoff or FortiClient side isn’t getting the redirect properly.
Any ideas or working examples for IPsec + SAML (Azure Entra) setups would be greatly appreciated.
I’ve seen very little real-world documentation on this.
Thanks in advance —
Andy
here is the whole debug file:|
Debug messages will be on for 22 minutes.
FGT # ike V=root:0: comes [REDACTED_PUBLIC_IP_1]:55165->[REDACTED_PUBLIC_IP_FG]:500,ifindex=38,vrf=0,len=392....
ike V=root:0: IKEv2 exchange=SA_INIT id=78629a0f5f3f164f/0000000000000000 len=392
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: responder received SA_INIT msg
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: incoming proposal:
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: protocol = IKEv2
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: encapsulation = IKEv2/none
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: type=ENCR, val=AES_CBC (key_len = 128)
...
ike V=root:78629a0f5f3f164f/0000000000000000 Negotiate SA Error: peer SA proposal not match local policy
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: no proposal chosen, send error response
ike V=root:0:78629a0f5f3f164f/0000000000000000:6002: sent IKE msg (NO_PROPOSAL_CHOSEN): [REDACTED_PUBLIC_IP_FG]:500->[REDACTED_PUBLIC_IP_1]:55165
--- next attempt (valid FortiClient) ---
ike V=root:0: comes [REDACTED_PUBLIC_IP_2]:51830->[REDACTED_PUBLIC_IP_FG]:500,ifindex=38,vrf=0,len=369....
ike V=root:0: IKEv2 exchange=SA_INIT id=d2b28657b69dc6c5/0000000000000000 len=369
ike V=root:0:d2b28657b69dc6c5/0000000000000000:6005: responder received SA_INIT msg
ike V=root:0:d2b28657b69dc6c5/0000000000000000:6005: matched proposal id 1
ike V=root:0:d2b28657b69dc6c5/0000000000000000:6005: SA proposal chosen, matched gateway FCT_SAML
ike V=root:0:FCT_SAML:FCT_SAML: created connection: 0x2b55e13de1e0 38 [REDACTED_PUBLIC_IP_FG]->[REDACTED_PUBLIC_IP_2]:51830
ike V=root:0:FCT_SAML:6005: NAT detected: PEER
ike V=root:0:FCT_SAML:6005: IKE SA established
ike V=root:0:FCT_SAML:6005: responder preparing AUTH msg
--- SAML + FortiClient telemetry exchange ---
ike V=root:0:FCT_SAML:6005: received FCT data len = 290
data = 'VER=1
FCTVER=7.4.3.1790
UID=[REDACTED_CLIENT_UID]
IP=[REDACTED_PRIVATE_IP]
MAC=[REDACTED_MAC_ADDRESSES]
HOST=[REDACTED_HOSTNAME]
USER=[REDACTED_CLIENT_UID]
OSVER=Microsoft Windows 11 Enterprise Edition, 64-bit (build 26100)
REG_STATUS=0
'
ike V=root:0:FCT_SAML:6005: peer identifier IPV4_ADDR [REDACTED_PRIVATE_IP]
ike V=root:0:FCT_SAML:6005: responder preparing EAP identity request
ike V=root:0:FCT_SAML:6005: local cert subject='*.exampledomain.pt'
ike V=root:0:FCT_SAML:6005: issuer='Sectigo RSA Domain Validation Secure Server CA'
Labels:
- Labels:
-
FortiClient
-
FortiGate
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
can you share a sanitized config for phase1/2 for the ipsec and also for user saml with all the info ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Labels
-
FortiGate
10,796 -
FortiClient
2,213 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
582 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
393 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
185 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
ZTNA
79 -
SAML
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
56 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
42 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2712 | |
| 1416 | |
| 810 | |
| 733 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.