• Required services: FortiGate with SSL VPN enabled, Microsoft Entra ID tenant
• A valid public FQDN (sub.domain.tld) for the FortiGate SSL VPN certificate
• A working certificate on the FortiGate (Let’s Encrypt, public CA, etc.)

• Enterprise Applications → Add from Gallery → Select FortiGate SSL VPN

• Identifier (Entity ID)
• Reply URL (ACS)
• Sign-on URL
• Logout URL
• Attribute & Claim mappings (username, group)
• Download the SAML Base64 Signing Certificate

• Create test user
• Assign user to the FortiGate SSL VPN enterprise app
• Create Security Group (e.g., *FortiGateAccess*)
• Copy the Object ID (used later in FortiGate group matching)

• Import the SAML IdP certificate into FortiGate
• Rename the certificate if needed for clarity

• Define the SAML IdP (`config user saml`)
• Configure entity-id, SSO URLs, IdP URLs, certificate, and attribute mapping

config user saml
  edit azure
    set cert "<FortiGate VPN Server Certificate Name>"
    set entity-id "https://vpn.my.org:10443/remote/saml/metadata"
    set single-sign-on-url "https://vpn.my.org:10443/remote/saml/login"
    set single-logout-url "https://vpn.my.org:10443/remote/saml/logout"

    set idp-entity-id <Azure AD Identifier>
    set idp-single-sign-on-url <Azure Login URL>
    set idp-single-logout-url <Azure Logout URL>
    set idp-cert <Azure SAML Base64 Certificate Name>

    set user-name username
    set group-name group
  next
end

• Create a user group mapped to Azure SAML IdP
• Match against the Azure AD Security Group Object ID

config user group
  edit AAD-FortiVPN
    set member azure
    config match
      edit 1
        set server-name azure
        set group-name 343744cd---GROUP-ID---67bb7e68
      next
    end
  next
end

• Create SSL VPN portal(s)
• Assign the portal to the SAML group
• Add firewall policies allowing access from the SAML user group

• Enable the SSL-VPN Realms feature
• Create multiple realms (e.g., *FullTunnel*, *SplitTunnel*)
• Assign specific portals and firewall policies per realm

• Configure FortiClient for SSL VPN using SAML SSO
• Ensure FQDN and port match the FortiGate SAML configuration

• Use Azure → “Test” SSO functionality
• Direct login to FortiGate VPN portal Web UI
• Launch from MyApps portal tile
• Use FortiGate debugging commands:

diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable

To stop debugging:

diagnose debug reset
diagnose debug disable

FortiClient connection stages:

• 20% – TCP connection
• 40% – SAML authentication
• 80% – Tunnel negotiation
• 100% – Connected

For example, if it fails at 40%, SAML assertion is not validated.

• Re-download metadata/cert when FQDN or port changes
• Signature validation requirements changed in FortiOS 7.2.12 / 7.4.9 / 7.6.4
• Common errors (e.g., *“Signature element not found”* from FortiGate)
• Adjust group claim: ensure the Azure AD group appears in the SAML assertion

• https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial
• https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-400-Bad-Request-error-when-trying-to-connect/ta-p/365087
• https://community.fortinet.com/t5/FortiGate/Technical-Tip-Create-SSL-VPN-with-Azure-SAML-SSO-Authentication/ta-p/200812