Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cybertechcom123
New Contributor

cannot get Fortigate and Azure SSO working

Hi all, im in need of some assistance. I have been on this task for 2 days and i cannot figure out whats wrong with my settings.

 

I have setup an AWS EC2 image of Fortinet, followed multiple multiple websites and youtube videos however i just dont seem to be able to establish a VPN connection using Azure SSO.

 

Below is my config

public DNS entry added, vpn.domainname.com.au a record to public IP of gateway

Lets encrypt cert is added and valid.

currently not set to a custom port, however have also tried port 10443 and updated the  SAML config, same issue.

 

config user saml
edit "azure"
set cert "certificatenameblankedout"
set entity-id "https://domainname/remote/saml/metadata”
set single-sign-on-url "https://domainname/remote/saml/login"
set single-logout-url "https://domainname/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/XXXXXXXX/"
set idp-single-sign-on-url "https://login.microsoftonline.com/XXXXXXXX/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/XXXXXXXX/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name username
set group-name group
next
end


config user group
edit FortiGateVPN
set member "azure"
config match
edit 1
set server-name "azure"
set group-name "(azure security group object id XXXXXXXX)"
next
end
next
end

 

Below screenshot is what i get when testing Azure SSO user in Azure portal

 

cybertechcom123_2-1671691223769.png

this is the error when trying to use the forticlient and connect.

cybertechcom123_4-1671691981864.png

 

 

Fortinet config

cybertechcom123_3-1671691933494.png

 

cybertechcom123_5-1671692047309.png

 

cybertechcom123_6-1671692142479.png

 

cybertechcom123_7-1671692174013.png

 

cybertechcom123_8-1671692237841.png

 

cybertechcom123_9-1671692302478.png

 

 

Azure settings.

cybertechcom123_10-1671692657831.pngcybertechcom123_11-1671692725184.pngcybertechcom123_12-1671692801203.png

I have also tried creating everything with the GUI and get the same result.

Thanks all

Matt

 

 

 

 

Matt Carter
Matt Carter
1 REPLY 1
funkylicious
Contributor III

Hi,

I would start by configuring in SSLVPN settings by setting on Listen on interface, the correct one w/ public IP and DNS.

Then:

- Recommended to increase remoteauthtimeout under config system global to 60 or 120

- under the config user saml that you configured, please append a / at the end of the URLs, expect for the ones ending in saml2

 

Here is a tutorial that should do the trick.

Tshoot article.

geek
geek
Labels
Top Kudoed Authors