Description
This article describes how to configure administrator login to FortiGate using the SAML standard for authentication and authorization.
SAML has been introduced as a new administrator authentication method in FortiOS 6.2. A FortiGate can act as an Identity Provider (IdP) for other FortiGates, or as a Service Provider (SP), utilizing other IdP.
This article provides an example for basic integration with Microsoft Entra ID (formerly known as Azure Active Directory (AD)) acting as the IdP.
Scope
FortiGate.
Solution
Below is a list of terms used in FortiGate GUI, and their equivalents in Azure, and the required SAML attributes:
FortiGate GUI |
Azure |
IdP entity ID |
Entra ID Identifier |
IdP single sign-on URL |
Login URL |
IdP single logout URL |
Logout URL |
SP entity ID |
Identifier (Entity ID) |
SP ACS (login) URL |
Reply URL (Assertion Consumer Service URL) |
SP SLS (logout) URL |
Logout URL |
SP portal URL |
Sign on URL |
The only mandatory attribute required to be sent in the SAML response is 'username', which is interpreted as the administrator’s username/account name.
Step-by-step guide:
- Create a new Enterprise application in Entra ID. Go to MicrosoftEntra ID -> Enterprise applications -> Create New Application -> FortiGate SSL VPN -> Name -> Create.
- In the newly created application, select Set up a single sign-on and select SAML.
- Start with sections 3 and 4. In section 3, download the certificate. In section 4, copy all three values (they will be used in step 5). Keep this page open, it is needed at a later step to finish the configuration.

- Switch to the FortiGate. The first step is to import the Entra ID SAML certificate from the previous step.
- In GUI: System -> Certificates -> Import -> Remote Certificate.
- In CLI:
Example: rename REMOTE_Cert_1 to Azure_SAML:
rename REMOTE_Cert_1 to Azure_SAML
end
- FortiGate SAML configuration. ( This feature does not exist under FortiManager).
- GUI in version 6.2: Go to User & Device -> SAML SSO.
- GUI in version 6.2.3 and above. Go to Security Fabric -> Settings. Enable FortiGate Telemetry and choose a Fabric name and an IP for FortiAnalyzer (can be an unused address). Enable SAML Single Sign-On and select Advanced Options.
- GUI in version 6.4 and above.
Go to Security Fabric -> Fabric Connectors -> Security Fabric Setup -> Single Sign-On Settings. - CLI:
config system saml
SP address: This is the address that will be used to process the SAML login and as the SAML SP identity. FQDN or an IP address can be used.
SP certificate:
Default login page: 'Normal' presents the standard login screen with an option to continue by SAML. 'Single Sign-On' automatically redirects all GUI logins to SAML. Recommended to leave it at 'Normal' at least for initial configuration and testing.
Default admin profile:
IdP settings.
IdP type: Custom.
IdP certificate: Select the certificate imported in step 4.
The last three options should be filled with values saved in step 3.
IdP entity ID: Entra ID Identifier.
IdP single sign-on URL: Login URL.
IdP single logout URL: Logout URL.
- Select Apply to save the change.
- Go back to the SAML-based sign-on section in Azure.
Reply URL (Assertion Consumer Service URL): SP ACS (login) URL.
Sign on URL: SP portal URL.
Relay State: Leave blank.
Logout URL: SP SLS (logout) URL.
Close this panel by selecting Save.

- Edit attributes sent by AzureFortiGate expect to receive the username of the administrator in the 'username' attribute. Entra ID does not send an attribute with this name by default.
Name: username.
Namespace: Leave blank.
Source: Attribute.
Source attribute: user.userprincipalname (The value of this attribute has to match the username the administrator will be using to log in).
Select the Save button to add this new claim.
The other unused claims can be deleted.
Select the close button in the top right to return.

- Access authorization.
'Enabled for users to sign-in': When set to 'No', access is completely disabled for everyone.
'User assignment required': When set to 'Yes', only users/groups configured in the section 'Users and groups' are allowed access. When set to 'No', any valid user from this directory is allowed to use this SAML SP and authenticate to FortiGate admin GUI.
- Right now, there are no options to configure SAML SSO-admin authentication per VDOM-based. As a workaround, these steps could be performed (if it fits):
1. If possible, set FortiGate's SSO URL to an FQDN and use DNS to point to different vdom's IP to make some users hit the FortiGate with different IPs using the same FQDN.
2. Add VDOM to the user's VDOM list, (not ideal if permission is a problem).
3. Change the SSO URL to the VDOM's IP that's needed. Refer to this article on how to resolve two different IPs per FQDN. - If there is a requirement to bind admin users to the Entra ID accounts and provide access to the specific VDOM, then follow these steps:
Run tests now. When done, stop debugs and reset them with:
diagnose debug reset
Similarly, the IdP response forwarded from the IdP back to the FortiGate SP is visible in the following section:
2019-08-14 10:05:06 [httpsd 8170 - 1565769906 info] ap_invoke_handler[573] -- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
2019-08-14 10:05:06 [httpsd 8170 - 1565769906 info] ap_invoke_handler[576] -- Source: 10.5.63.254:58504 Destination: 10.5.60.60:443
__samld_sp_login_resp [723]:
Message Body
<###-base64-encoded-message-###> <--
Error examples and possible remedies (non-exhaustive).
- ERROR: 'username is missing in SAML assertion attributes.':


- ERROR: 'AADSTS700016: Application with identifier '<SP-entity-ID>' was not found in the directory <tenant-ID'. This can happen if the application has not been installed by the administrator of the tenant or is consented to by any user in the tenant. The authentication request might have been sent to the wrong tenant.'.

- ERROR: After authentication succeeds with Azure IdP, the FortiGate page does not load, or an 'Error' is shown by FortiGate.
FIX: This may be a misconfigured Reply URL (Assertion Consumer Service URL) in Azure. Make sure this value matches the SP ACS (login) URL from FortiGate (step 7). - ERROR: 'Response validation failed. SAML Response rejected.'.

FIX 5.2: This may also be due to an incorrect IdP entity ID in the FortiGate configuration. Make sure this matches the Entra ID Identifier (steps 3,5).
__samld_sp_login_resp [848]: Clock skew issue. <----
samld_send_common_reply [91]: Code: 5, id: 1, pid: 24566, len: 53, data_len 37
samld_send_common_reply [99]: Attr: 22, 12,
samld_send_common_reply [99]: Attr: 23, 25, Undefined error.
2024-10-21 16:26:11 [httpsd 24566 - 1729520771 error] saml_sp_acs_handler[823] -- Error in SP ACS handler. Response validation failed
. SAML Response rejected.
- ERROR: 'AADSTS90002: Tenant '<tenant-ID>' not found. This may happen if there are no active subscriptions for the tenant. Check with subscription administrator.'.

- ERROR: 'No group info in SAML response' or 'No user name info in SAML response'.
2024-12-04 13:24:10 [xxxx]fsv_saml_login_resp_cb:225 SAML response error: 4.
- ERROR: Unable to log into FortiGate GUI because SAML SSO is the default login, and it is not functional.
To get around this, log in by manually opening the SP ACS (login) URL (https://<fortigate>/saml/?acs ). Ignore the error displayed and proceed with 'select here to log in locally'. Afterward, the default login page can be switched to 'Normal' in GUI.
end
An invalid HTTP request error occurs when a misconfiguration or typo error occurs in the login or logout URL. Double-check the step-7 configuration and make sure the URLs match exactly on both sides. A sample configuration from the CLI looks like the below config user saml.
edit "ssl-azure-saml"
set entity-id "https://<test-domain>:65443/remote/saml/metadata"
set single-sign-on-url "https://<test-domain>:65443/remote/saml/login"
set single-logout-url "https://<test-domain>:65443/remote/logout"
Related documents:
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 6.2: Cookbook SAML.
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 6.2.3: Configuring the Security Fabric with SAML.
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 6.4.2: Configuring the Security Fabric with SAML.
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 7.0.2: Configuring single-sign-on in the Security Fabric.
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 7.2.2: Configuring single-sign-on in the Security Fabric.
SAML overview and configuration (in the context of authentication between FortiGates in Security Fabric) version 7.4.1: Configuring single-sign-on in the Security Fabric.
Microsoft documentation for setting up SAML non-gallery application: Quickstart: View enterprise applications.
SAML chrome panel
SAML Message Decoder
SAML-tracer
SAML Message Decoder