Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TheHoff1
New Contributor

Fortigate AzureAD SSO VPN immediate disconnect

We have setup our Fortigate 80F to connect to our AzureAD. All seems to work fine, but users immediately logout after the credentials are checked.

 

So either if we connect through the webinterface or the FortiClient software, we fill in the credentials of the user.

The login is validated and immediately we get 'Microsoft: You've signed out of your account.'

Followed by a 'Session ended' screen from the Fortigate.

 

I have followed all steps here: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial#config...

 

But I seem to have missed something. Anyone any idea?

1 Solution
Anonymous
Not applicable

Hello 

 

Normally we would need debug to be able to provide a solution but I would first recommend to recheck the setup since this is a new configuration which never worked before : 

 

So please refer to this complete step by step guides 

 

1)

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authent...

 

2)https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/

 

After checking the configuration ,I would kindly ask you to run the following debugs, and try to reproduce the issue:

 

diag debug reset

diag debug console timestamp enable

diag debug app samld -1

diag debug app sslvpn -1

diag debug enable

 

Please also note the username used in the test, which group should the user be a member of and which SSLVPN portal you expect the user to be mapped to.

 

Also please refer to the last session on this article for the mos common issues and misconfigs

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SAML-authentication-resource-lis...

 

Please let us know the outcome and if the issue still persists

 

Regards

Edvin.

View solution in original post

3 REPLIES 3
Anonymous
Not applicable

Hello 

 

Normally we would need debug to be able to provide a solution but I would first recommend to recheck the setup since this is a new configuration which never worked before : 

 

So please refer to this complete step by step guides 

 

1)

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authent...

 

2)https://yura.stryi.com/en/2021-03-05/fortigate-ssl-vpn-azure-mfa/

 

After checking the configuration ,I would kindly ask you to run the following debugs, and try to reproduce the issue:

 

diag debug reset

diag debug console timestamp enable

diag debug app samld -1

diag debug app sslvpn -1

diag debug enable

 

Please also note the username used in the test, which group should the user be a member of and which SSLVPN portal you expect the user to be mapped to.

 

Also please refer to the last session on this article for the mos common issues and misconfigs

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-SAML-authentication-resource-lis...

 

Please let us know the outcome and if the issue still persists

 

Regards

Edvin.

TheHoff1

Hi,

 

Thanks so much for the links. I have figured out what I did wrong.

 

For some reason the tut I had, set the config user group
FortiGateAccess/config match/edit 0 to 1.

And for Group-name <Group Object id>, I accidentally set my tenantID. That would explain it all.

 

Cheers!

 

Anonymous
Not applicable

Hi 

 

That's great to hear

 

Thanks for sharing the fix  and enriching our knowledge sharing community

 

Cheers!

Edvin.

Labels
Top Kudoed Authors