Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
miki360
New Contributor

VPN SSL authentification with Azure SAML 7.0.12 issue : users not redirected to login page

Hello Evryone,

 

We are facing a strange issue with our azure saml authetification for vpn users.

 

The issue is on web mode as well as Forticlient.

 

The issue is that users are not redirected to azure login page.

 

->vpn works with local users

->single sign on button appears on web mode (Policy must be ok)

->when we enable debug for samld there is only 1 output :__samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

->When we test on azure (Assertion consumer service URL) we get invalid http request

->on web mode when we click on single sign on we are not redirected to azure and we get ERR_EMPTY_RESPONSE

We have checked multiple times if there was any syntax mismatch between idp and sp but there are none 3 fortinet support engineers also checked

 

We are running out of ideas.

 

Did anyone faced this issue ?

 

Any suggestion is welcome !

 

Thanks in advance

FortiGate 

1 Solution
hbac
Staff
Staff

Hi @miki360

 

Do you have a ticket opened? If yes, what is the ticket number? 

 

We need to doublecheck the configuration, please provide output of the following commands: 

# show full user saml 

# show full vpn ssl setting 

 

Please also provide screenshots of Azure configurations. 

 

Regards,

View solution in original post

4 REPLIES 4
hbac
Staff
Staff

Hi @miki360

 

Do you have a ticket opened? If yes, what is the ticket number? 

 

We need to doublecheck the configuration, please provide output of the following commands: 

# show full user saml 

# show full vpn ssl setting 

 

Please also provide screenshots of Azure configurations. 

 

Regards,

miki360
New Contributor

Hello,

 

Yes we have opened a case and after checking the issue was resolved by disabling sdp certificate. The certificate was generated using the FW ca but we did not get the reason what was wrong with the certificate.

mle2802
Staff
Staff

Hi there,

This issue usually happen when there is a mismatch in IDP or SP URLs addresses between the FortiGate and Microsoft Azure Single Sign-On page. Can you please verify that information and refer to this document for more detail:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Invalid-HTTP-Request-while-using-sso-login...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors