Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cybertechcom123
New Contributor

cannot get Fortigate and Azure SSO working

Hi all, im in need of some assistance. I have been on this task for 2 days and i cannot figure out whats wrong with my settings.

 

I have setup an AWS EC2 image of Fortinet, followed multiple multiple websites and youtube videos however i just dont seem to be able to establish a VPN connection using Azure SSO.

 

Below is my config

public DNS entry added, vpn.domainname.com.au a record to public IP of gateway

Lets encrypt cert is added and valid.

currently not set to a custom port, however have also tried port 10443 and updated the  SAML config, same issue.

 

config user saml
edit "azure"
set cert "certificatenameblankedout"
set entity-id "https://domainname/remote/saml/metadata”
set single-sign-on-url "https://domainname/remote/saml/login"
set single-logout-url "https://domainname/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/XXXXXXXX/"
set idp-single-sign-on-url "https://login.microsoftonline.com/XXXXXXXX/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/XXXXXXXX/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name username
set group-name group
next
end


config user group
edit FortiGateVPN
set member "azure"
config match
edit 1
set server-name "azure"
set group-name "(azure security group object id XXXXXXXX)"
next
end
next
end

 

Below screenshot is what i get when testing Azure SSO user in Azure portal

 

cybertechcom123_2-1671691223769.png

this is the error when trying to use the forticlient and connect.

cybertechcom123_4-1671691981864.png

 

 

Fortinet config

cybertechcom123_3-1671691933494.png

 

cybertechcom123_5-1671692047309.png

 

cybertechcom123_6-1671692142479.png

 

cybertechcom123_7-1671692174013.png

 

cybertechcom123_8-1671692237841.png

 

cybertechcom123_9-1671692302478.png

 

 

Azure settings.

cybertechcom123_10-1671692657831.pngcybertechcom123_11-1671692725184.pngcybertechcom123_12-1671692801203.png

I have also tried creating everything with the GUI and get the same result.

Thanks all

Matt

 

 

 

 

Matt Carter
Matt Carter
1 REPLY 1
funkylicious
SuperUser
SuperUser

Hi,

I would start by configuring in SSLVPN settings by setting on Listen on interface, the correct one w/ public IP and DNS.

Then:

- Recommended to increase remoteauthtimeout under config system global to 60 or 120

- under the config user saml that you configured, please append a / at the end of the URLs, expect for the ones ending in saml2

 

Here is a tutorial that should do the trick.

Tshoot article.

"jack of all trades, master of none"
"jack of all trades, master of none"
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors