Hot!Forticlient SSL VPN with SAML error -7200 at 48%

Author
EMSQuestion
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/07/12 19:52:20
  • Status: offline
2021/09/01 19:26:41 (permalink)
0

Forticlient SSL VPN with SAML error -7200 at 48%

Hi,
 
I have recently setup SAML auth with Azure AD but cant get it to work via Forticlient.  
 
Users can login to the webportal and auth using SSO successfully, its just Forticlient that fails.
 
When users try to connect via Forticlient they are directed to the correct Microsoft Login URL and can successfully auth with their Azure creds(including MFA) but after accepting the MFA prompt Forticlient stops at 48% and shows "Credential or SSLVPN configuration is wrong (-7200)".  
Checking the SSL-VPN Monitor in the Forti shows the user as being connected but only with "Web Connections" instead of "Tunnel Connections"
 
It almost like when authenticating Forticlient cant find the user in a User Group so assigned it to the Web-access portal
 
Running Forticlient 7.0 and firmware 7.0.1 on the Forti
 
There is a post on Reddit about the SLL-VPN certificate key length having to be 2048 but we are using a certificate with a key length of 4096.
 
CONFIG BELOW (using example FQDN)
--------------------------------------------------------
config user saml
edit "azure-saml"
set cert "Fortinet"
set entity-id "https://example-company.com:10443/remote/saml/metadata"
set single-sign-on-url "https://example-company.com:10443/remote/saml/login"
set single-logout-url "https://example-company.com:10443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/YYY-e027-4bb6-a213-XXX/"
set idp-single-sign-on-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/YYY-e027-4bb6-a213-XXX/saml2"
set idp-cert "Azure_SAML"
set user-name "username"
set group-name "group"
next
end

config user group
edit "SAML_AZ_ALL"
set member "azure-saml"
config match
edit 1
set server-name "azure-saml"
set group-name "YYY-a79a-40f0-a2df-XXX" (Object ID of my Azure group)
next
end
next
end
 

post edited by EMSQuestion - 2021/09/02 00:36:20
#1

1 Reply Related Threads

    rina5392
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/03/11 05:06:03
    • Status: offline
    Re: Forticlient SSL VPN with SAML error -7200 at 48% 2021/09/14 09:01:38 (permalink)
    0
    Good day, did you figure this out, i have the exact same problem 
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5