• Required apps and subscriptions (FortiGate SSL VPN, Entra ID tenant)
• A valid sub.domain.tld to obtain a valid certificate at the fortigate

• Enterprise Applications → Add from Gallery → Select FortiGate SSL VPN

• Identifier (Entity ID)
• Reply URL
• Sign-on URL
• Logout URL
• Attribute & Claim mappings
• Download SAML Base64 Signing Certificate

• New user creation
• Assign user to FortiGate SSL VPN app
• Create Security Group (e.g., FortiGateAccess)
• Note Object ID

• Import Base64 certificate into FortiGate
• Rename certificate if needed

• Define SAML IdP (`config user saml`)
• Map entity-id, single-sign-on-url, logout-url, IdP URLs, certificate, attributes

config user saml
  edit azure
    set cert <FortiGate Let'sEncrypt VPN Server Certificate Name>
    set entity-id "https://vpn.my.org:10443/remote/saml/metadata"
    set single-sign-on-url "https://vpn.my.org:10443/remote/saml/login"
    set single-logout-url "https://vpn.my.org:10443/remote/saml/logout"
    set idp-entity-id <Azure AD Identifier>
    set idp-single-sign-on-url <Azure Login URL>
    set idp-single-logout-url <Azure Logout URL>
    set idp-cert <Base64 SAML Certificate Name>
    set user-name username
    set group-name group
  next
end

• Create group (`config user group`)
• Match against Azure Security Group Object ID

config user group
  edit AAD-FortiVPN
    set member azure
    config match
      edit 1
        set server-name azure
        set group-name 343744cd---GROUP ID---67bb7e68
      next
    end
  next
end

• Create VPN portal(s)
• Apply firewall rules for SAML group

• Enable SSL-VPN Realms feature
• Create multiple realms (e.g., FullTunnel, SplitTunnel)
• Configure portals and policies per realm

• Configure FortiClient for SSL VPN with SAML SSO

• Test SSO via Azure “Test” button
• Direct login to FortiGate VPN portal
• Use My Apps tile
• Debugging commands (`diagnose debug application samld`)

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable

Here the fortigate will output everything related to SSL VPN to the console.

To stop it, paste:

diagnose debug reset
diagnose debug disable

• Certificate re-download after FQDN changes
• Signature verification requirements in FortiOS 7.2.12 / 7.4.9 / 7.6.4
• Common errors (e.g., “Signature element not found”)

FortiClient shows progress as:

• 20% → TCP connect
• 40% → SAML authentication
• 80% → tunnel negotiation
• 100% → connected

So, failing at 40% means the tunnel never starts because the SAML assertion wasn’t validated.

• https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-400-Bad-Request-error-when-trying-to-connect/ta-p/365087
• https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812