Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
benKettner
New Contributor

Created on ‎10-11-2023 12:40 AM Edited on ‎10-17-2023 04:56 AM

SOLVED: Fortigate replacing IDP Certificate on SAML SSO with Captive Portal

 

I am trying to get SSO for my WIFI with Azure AD. 

I created an Azure Enterprise Application and assigned Users. 

I set up SSO in Fortigate.

I created a usergroup in Fortigate.

I created Policies to use that group for Wifi access

I added that group to the SSID

I set the Captive Portal to Disclaimer (for debug reasons) and when I accept the disclaimer, I am forwarded to login.microsoft.com - but there I get a certificate error because for some reason, Fortigate seems to replace the IDP certificate (that I of course added to the appliance) with the Fortigate Factory Certificate. I am at a loss here as I do not understand, where and why the certificate gets replaced... Can't find anything in the forums or anywhere online, I have been searching for 3 days now... 

Labels:
1008
0 Kudos
6 REPLIES 6
benKettner
New Contributor

Created on ‎10-11-2023 01:11 AM

 

Here's a screenshot of the problem I am facing. This is where I am redirected after accepting the disclaimer in the captive portal...

saml_error.png

 

996
0 Kudos
hbac
Staff
Staff

Created on ‎10-11-2023 01:30 PM

Hi @benKettner,

 

Can you check which certificate you are using? Looks like you are using self-signed certificate for captive portal. 


config user setting

show full

 

Regards, 

969
benKettner
New Contributor

Created on ‎10-11-2023 11:06 PM

Thanks for getting back to me. This is the output of the user settings: 

 

saml_user_settings.png

957
0 Kudos
hbac
Staff
Staff
In response to benKettner

Created on ‎10-12-2023 08:25 AM

Hi @benKettner,

 

Can you set the certificate as follows:

 

config user setting

set auth-ca-cert "Fortinet_CA_SSL"

end

 

You can refer to this article at step 7: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Wireless-Authentication-using-SAML-Credent...

 

Regards, 

933
benKettner
New Contributor
In response to hbac

Created on ‎10-16-2023 12:24 AM

Unfortunately that did not change anything except that the cert is now set in the user settings. 

894
0 Kudos
benKettner
New Contributor

Created on ‎10-17-2023 04:56 AM

The problem was solved in a support call today. The solution was that the policy that contained the MS SSO URLs as Addresses and was Portal Exempt did not work - we changed it to "Services Azure" and then SSO started working. Weird, that was the last place I would have looked for the problem... 

868
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.