docs.facundoitest.space

User Tools

Site Tools

Trace: fortigate_-_entra_id_saml_sso
fortigate_-_entra_id_saml_sso

This is an old revision of the document!

Table of Contents

Prerequisites

  • Required apps and subscriptions (FortiGate SSL VPN, Entra ID tenant)
  • A valid sub.domain.tld to obtain a valid certificate at the fortigate

Add FortiGate SSL VPN in Entra ID

  • Enterprise Applications → Add from Gallery → Select FortiGate SSL VPN

Configure Basic SAML Settings in Entra ID

  • Identifier (Entity ID)
  • Reply URL
  • Sign-on URL
  • Logout URL
  • Attribute & Claim mappings
  • Download SAML Base64 Signing Certificate

Create Test User and Security Group in Entra ID

  • New user creation
  • Assign user to FortiGate SSL VPN app
  • Create Security Group (e.g., FortiGateAccess)
  • Note Object ID

Upload Certificate to FortiGate

  • Import Base64 certificate into FortiGate
  • Rename certificate if needed

Configure FortiGate SAML Settings (CLI)

  • Define SAML IdP (`config user saml`)
  • Map entity-id, single-sign-on-url, logout-url, IdP URLs, certificate, attributes

Configure FortiGate User Group

  • Create group (`config user group`)
  • Match against Azure Security Group Object ID
config user group
  edit AAD-FortiVPN
    set member azure
    config match
      edit 1
        set server-name azure
        set group-name 343744cd---GROUP ID---67bb7e68
      next
    end
  next
end

Configure SSL VPN Portals and Firewall Policy

  • Create VPN portal(s)
  • Apply firewall rules for SAML group

Optional: Multiple SSL VPN Realms

  • Enable SSL-VPN Realms feature
  • Create multiple realms (e.g., FullTunnel, SplitTunnel)
  • Configure portals and policies per realm

FortiClient Setup (Optional)

  • Configure FortiClient for SSL VPN with SAML SSO

Testing and Validation

  • Test SSO via Azure “Test” button
  • Direct login to FortiGate VPN portal
  • Use My Apps tile
  • Debugging commands (`diagnose debug application samld`)
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable

Here the fortigate will output everything related to SSL VPN to the console.

To stop it, paste: 

diagnose debug reset
diagnose debug disable

Troubleshooting Notes

  • Certificate re-download after FQDN changes
  • Signature verification requirements in FortiOS 7.2.12 / 7.4.9 / 7.6.4
  • Common errors (e.g., “Signature element not found”)

FortiClient shows progress as:

  • 20% → TCP connect
  • 40% → SAML authentication
  • 80% → tunnel negotiation
  • 100% → connected

So, failing at 40% means the tunnel never starts because the SAML assertion wasn’t validated.

References

fortigate_-_entra_id_saml_sso.1765575781.txt.gz · Last modified: 2025/12/12 21:43 by oso