Fortinet Single Sign On (FSSO) for SSL-VPN SAML Entra via Syslog

tobiasberndes · ‎02-15-2024

Hello,
has anyone used SSL VPN with Microsoft Entra SAML authentication and forwarding of login / logout info to FSSO via syslog? In SAML we use the mail address of the user as UPN.

We want to use the concept to run the authentication of the firewall rules via FSSO Active Directory groups.

Background is the following article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Fortinet-Single-Sign-On-FSSO-for...

My problem is that although the syslog message arrives in the FSSO, no query is then sent to the LDAP with the UPN.

Fortigate 600F with 7.4.3

config log syslogd setting
    set status enable
    set server "10.7.1.67"
end

config log syslogd filter
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set ztna-traffic disable
    set anomaly disable
    set voip disable
    config free-style
        edit 1
            set category event
            set filter "((logid 0101039947) or (logid 0101039948) or (logid 0101039949))"
        next
    end
en

FSSO logon_event.log

02/15/2024 16:56:23	[RECV_EVENT_FROM_DC]	packet_len:92 dcagent_ip:10.5.1.2 time:1708012583 data_len:49 data:10.199.1.10/SYSLOG/Tobias.Berndes@inotec-licht.de ip:0.0.0.0

Wireshark Syslog + LDAP Request

ebilcari · ‎02-18-2024

I guess you have to remove the Group Field in parsing rule since that information will not come from the syslog content itself, it will be extracted from the LDAP server.

When you paste the syslog content on the test field, what values is filled in the Username?

You can also increase the Logging level in Collector Agent:

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.