Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sbaltic
New Contributor

Created on ‎12-04-2023 09:59 PM

Fortigate FG200 SSL VPN with Microsoft Entra Auth

Anyone manage to resolve this issue with OS 7.4.1 that can successfully authenticate SSL VPN user with Fortigate VPN SSL enterprise app on Entra ID?

I tried app from the library, own app, custom app but the error is always the same (session ended or incorrect HTTP request). 

I am using default 443 port ... and when I create SAML with gui I get ID like:
http://1.2.3.4:443/remote/saml/metadata/

https://1.2.3.4:443/remote/saml/login

https://1.2.3.4:443/remote/saml/logout

 

and cert from Entra is sha-256 not sha1 (witch is default encryption with new gui SAML)

 

Thx

SB
SB
Labels:
1485
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎12-05-2023 06:30 AM

Hi @sbaltic,

 

Does SAML authentication work with only username and password? Since FortiGate is not responsible for authentications, it doesn't care which app you are using. FortiGate only waits for authentication results from IDP. 

 

You can try to increase remoteauthtimeout on the FortiGate to see if it helps: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-global-set-remoteauthtimeout-us...

 

Regards, 

1458
sbaltic
New Contributor

Created on ‎12-08-2023 01:09 AM

The problem is that I get "Session Ended" every time I login. So the fortigate login opens microsoft authentication and when I enter credentials I get "Session Ended"

SB
SB
1422
0 Kudos
hbac
Staff
Staff
In response to sbaltic

Created on ‎12-08-2023 06:01 AM

@sbaltic

 

Please double check your configuration and make sure the user group is specified in the firewall policy source. Please also make sure there is no group mismatch: -Followed below documents as error is matching:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Azure-SAML-group-mismatch-getting-error-re...

 

Regards, 

1408
0 Kudos
sbaltic
New Contributor
In response to hbac

Created on ‎12-08-2023 08:40 AM

Tried right now ... same problem. I don't see any group mismatch error. I think I tried everything. Even group ID and group name, always the same problem. Removed :443 also removed / (end of the matadata, login, logout) ... add enterprise app from scratch, add enterprise app FORTIGATE SSL VPN ... 

SB
SB
1400
0 Kudos
hbac
Staff
Staff
In response to sbaltic

Created on ‎12-09-2023 12:30 PM

@sbaltic,

 

Please collect debugs as mentioned in the article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...

 

# di deb res 

# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable

 

Regards, 

1383
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.