Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leo-ehk
New Contributor

Created on ‎11-16-2023 04:42 AM Edited on ‎02-26-2024 05:39 AM By Community Manager

SAML Configuration for Fortigate SSL VPN SSO - Invalid HTTP request.

Hello community,

 

we would like to configure our fortigate 100F SSLVPN Access with SAML and MS Entra.

Unfortunately, we get the following prompt 

 

SAML-FortiIssue.PNG

We use the following MS Node:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial

Is it important, that we use a entra Plan or is the free Version okay? We use M365 business St. 

Labels:
3685
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-16-2023 06:44 AM

SAML authentication can be configured to work without specific groups. In this situation, you'd better manually set who can use the "enterprise application" (SSL-VPN) in Azure AD/Entra's configuration.

 

The P1/P2 plan affects what additional options you have available, but a basic SAML setup can be run even with a free plan, as far as I am aware.

[ corrections always welcome ]

View solution in original post

3534
20 REPLIES 20
pminarik
Staff
Staff

Created on ‎11-16-2023 04:46 AM

The /remote/saml/login URL is not intended to be directly accessed by a user, as it expects to receive some atttributes, automatically generated by the SP/IdP.

 

You should simply try connecting to the bare URL , such as: https://myvpn.com:<port> . From there, you should either be automatically redirected to the IdP's login page (if using exclusively SAML for VPN authentication), or offered a chance to enter credentials or click a button to initiate the SAML process (=redirects to the IdP to authenticate). 

[ corrections always welcome ]
1587
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 05:17 AM

Hello pminarik,

 

thanks for your fast answer. I get the same problem on the FortiClient.

SAML-FortiIssue2.PNG

 

1573
0 Kudos
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-16-2023 05:25 AM Edited on ‎11-16-2023 05:26 AM

Can you share the configuration of the VPN profile on the FortiClient? (you can hide the IP or domain name, but leave everything else visible, including any /url/paths/used ).

On top of that, it would be useful to review the SAML config on the FortiGate, for which you can share the output of "show user saml". (again feel free to hide the domain names and IPs).

[ corrections always welcome ]
1571
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 05:33 AM

16-11-2023 14-30-24.png

1568
0 Kudos
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 05:59 AM

Whats the right way to share or upload the config file?

1556
0 Kudos
pminarik
Staff
Staff
In response to leo-ehk

Created on ‎11-16-2023 06:11 AM Edited on ‎11-16-2023 06:11 AM

A screenshot of these config snippets is good enough.

I'd leave full backups for a potential support ticket, not the best idea to share them on a public forum.
For the FortiClient config, something like this should suffice:

 
 

fct.png

 

[ corrections always welcome ]
1543
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 06:25 AM

16-11-2023 15-24-29.png

1539
0 Kudos
leo-ehk
New Contributor
In response to leo-ehk

Created on ‎11-16-2023 06:30 AM

Now it's working, but my question is, is it important to have the Azure P1 or P2 plan? Or does SAML Auth also work without a security group in Azure?

1537
0 Kudos
leo-ehk
New Contributor
In response to pminarik

Created on ‎11-16-2023 06:37 AM

Hello pminarik i think the problem came through a false config with the config user grou. The set member "azure" was not set. Is it important, that we use the security group in Azure or is that optional?16-11-2023 15-33-42.png

1533
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.