SSLVPN SSO - access denied and Failed to Create SP errors

jcrower · ‎03-11-2024

Hey all,

Fortigate 81f with 7.0.14

Attempting to get SSLVPN SSO working with Microsoft Entra ID. The process is failing before getting any type of login prompt.

Testing from the FortiClient I get "The response from https://vpn.domain.com was invalid."
Testing from the Test option within Entra ID I get - Access Denied (from https://vpn.domain.com page)

I've double checked all the URL's between the Entra ID application and the saml config. The SSO group on the Fortigate is in the firewall policy.

Sanitised config:

config user saml
  edit "Entra ID VPN"
    set entity-id "http://vpn.domain.com/remote/saml/metadata/"
    set single-sign-on-url "https://vpn.domain.com/remote/saml/?acs"
    set single-logout-url "https://vpn.domain.com/remote/saml/?sls"
    set idp-entity-id "https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/"
    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
    set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxx/saml2"
    set idp-cert "REMOTE_Cert_1"
    set user-name "username"
    set group-name "group"
    set digest-method sha256
next

SAML debug

samld_process_request [157]: Could not get resp_attrs: code=1, resp_attrs_len=0
gen_sp_server [325]: Failed to create SP

SSLVPN debug has this as the last entry before it fails.

2024-03-12 12:20:59 [405:root:1df9][fsv_found_saml_server_name_from_auth_lst:125] Found SAML server [Entra ID VPN] in group [FortigateVPNAccess]

Does anyone know where else to look to find the issue? With the Access Denied message, what was denied access by whom?

thanks

jc

hbac · ‎04-04-2024

@jcrower.,

Please try the following URLs instead:

Entity ID: http://x.x.x.x/remote/saml/metadata/
single-sign-on-url: https://x.x.x.x/remote/saml/login
single-logout-url: https://x.x.x.x/remote/saml/logout

Regards,

View solution in original post

jcrower · ‎03-11-2024

Thanks for the reply @jimbey2, so the access denied is from the Fortigate?

When you say to re-create a new IPv4 Policy, do you mean the Firewall rule? I added the SSO group to the existing rule (we are using an ldap lookup at the moment to on-premises AD).

ozkanaltas · ‎03-12-2024

Hello @jcrower ,

Can you try reconfiguring your sp urls without a question mark?

config user saml
  edit "Entra ID VPN"
    set entity-id "http://vpn.domain.com/remote/saml/metadata/"
    set single-sign-on-url "https://vpn.domain.com/remote/saml/acs"
    set single-logout-url "https://vpn.domain.com/remote/saml/sls"

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

hbac · ‎03-12-2024

Hi @jcrower,

Please double check and verify URLs on both sides. FortiGate entiry ID starts with 'http' but on Azure, it shows 'https'.

Regards,

jcrower · ‎03-12-2024

Thanks for the replies everyone.

I changed the URL's to match exactly:

no question marks (the Fortigate created those automatically but I removed them)
all https
ending back slash only for the Microsoft Entra Identifier

I also created a new firewall policy (basically cloning the existing one, but with just the SSO group) and put it before our current working one. I'm not seeing any hits on it though when I attempt to log in.

I still get the same errors :(

There is something. Because of the M365 plan we are on, I cannot add groups to the User and groups area, only specific users. Will this change how it's configured, or if it will even work?

EDIT: that can't be the problem, the online instructions only state adding a user to that area. I have created a Security Group within Azure, have added that user to the Security Group and specified the Object ID of that group within the Frotigate SSO Group.

https://learn.microsoft.com/en-us/entra/identity/saas-apps/fortigate-ssl-vpn-tutorial#configure-and-...

hbac · ‎04-04-2024

@jcrower.,

Please try the following URLs instead:

Entity ID: http://x.x.x.x/remote/saml/metadata/
single-sign-on-url: https://x.x.x.x/remote/saml/login
single-logout-url: https://x.x.x.x/remote/saml/logout

Regards,

jcrower · ‎04-11-2024

Thanks @hbac, as simple as that! It's working... kind of.

It seems a bit buggy though. The Windows client seems to work fine (mostly).

I tested the Android client (Samsung A14 Android 14) and it first said it required Chrome which is annoying as I don't use Chrome. Anyway I 'enabled' Chrome, it takes me to the login screen, asks for the MFA sign in. I switch to the Authenticator, type in the number, switch back to the Forticlient and it just sits there with the Approve sign in request screen.

If I close and reopen Forticlient it goes back to the Forticlient login screen.

csovike10 · ‎04-03-2024

I have the same problem with the same FortiOS version and a very similar configuration.

I will try to find a solution, but if you found one please share it with me.

May I try to upgrade the FortiOS to 7.2.