One of the best fortigate SSL VPN integration with azure AD using SAML tutorial

Thank you Dan! I was able to setup the same within 1.5 hours thanks to your vid. If anyone cares: If using FIDO2 key (passwordless), you have to select the option in the Forticlient VPN profile to authenticate using the browser.

I've been pouring over the config documents from both Azure and Fortigate side for about a week preparing to get it done this week. Always helpful to see someone actually do it though and I'm really happy you left the troubleshooting in there. Invaluable! Liked and subscribed sir, thank you!

When I was notice a 48 mins video about this theme, I said "sure it is so boring this video", but when I finish, I immediately pushed that suscribe and "I like" button. Thanks a lot for your video and explanation "una joyita de video"

Great video. Really enjoyed how you showed the whole process including the small issues you ran into.

Dude thank you! One thing to note, is that you dont need the quotes anymore on 7.2.8 firmware.

Great, Thank you! This works out perfectly!! Multiple groups with different access and I was also able to configure access to go over a S2S VPN as well.

Best content in the subject for months in the subject I have come across. Thank you

Top notch demonstration. I'll be implementing this soon and this video is a great resource to have.

Thank you for creating this content Dan. Great video and instructions. It was incredibly helpful.

absolute genius. straight forward and easy to follow

Thanks a ton for the great Video. Each and every step in detail.

Great Video! I am using in version 6.2.9 too

great video. really informative .well organized and detailed. thanks for sharing. would like to see more upload from you.

Great vid. My free Azure account would not allow me to add groups to the FortigateSSL enterprise app thingy in Azure, only users. But, you could kick it a bit on the login and could evenutally get to the SSL portal. Thanks for the useful video and info. Make more vids!

Excellent video. Thanks for all your help!

I would like to thank you for this amazing video. Really helpful

Thanks for taking the time providing this great guide

Thanks for posting this. This really helped me.

Excellent video Dan! thank you so much

Very good and useful video. Thank you very much

Thanks, great video. I was stuck when I forgot to add the new group to my existing policy, then I found your video at 29:06 strange that it wouldn't even let you sign in without a policy.

great sharing.

This is great, thank you! Can you share the process for creating the SSL cert via Let's Encrypt?

Very nice explanation

Very informative. Thankyou

excellent work, thank you very much!

Thank You for this video. It was a pleasure to watch. Just one question here. There was no prompt for MFA. How does that work? How can I set that up if I want my users to receive OTP/Notification to be able to connect to VPN? Please help.

Thanks great detailed video

Thank you very much for this video. I had an issue with the step where I had to setup the custom "username" claim attribute on the Azure side and the documentation and other tutorials don't clearly state what to do there.

Awesome video, 100% :)

Thank you for the video

Great tutorial :) Helped me understand a lot. 2 questions 1. In what case would you integrate this WITH Fortiauthenticator? 2. Can you use a private CA that all devices using the VPN have as a trusted CA, or must it be public?

Hi. I have a problem with the client . Log show a problem with connect to server error 6500

Fantastic! one question: There seems to be a limitation on 7.0.9 to add multiple saml server to a group. Is there a way around this without recreating the same firewall policies for different saml servers

Good morning Dan, really nice video and well explained. I was just wondering, in the ssl settings in the Authentication/ Portal Mapping if i create a mapping to a new portal for azure and I also have a mapping for a group of local user of fw to connect to the portal full-access for example. When my users with local account will connect to the fw via forticlient, will they get the azure windows also ? I would like to keep these users connecting without the azure portal but also that some groups gets azure windows.

Once we've integrated with Azure AD, I always need to enter a username and password? Can you make me remember the username after choose SAML login?

Great Content...

Great work Dan, Is it possible to allow guest access to VPN? I am try to use Azure B2B cross tenant collaboration. Wants to allow guest accounts to authenticate using their own email addresses.

Hello, thank you for this video. I have a question: is the 7.0 required to use this feature or it works on 6.0? Can i use this type of authentication to grant internet access based on web filtering profile?

Great content Dan. For my understanding, I wonder could someone give me the highlevel sequence of events here, in terms if the token / authentication flow mechanism?

Do u have a video explaining integrating FG with adfs using SAML

Great Job!

Hi Dan, My forinet is running in AWS and I want to connect with Azure same like this video, Do I need to allow any ports in Azure and AWS vice versa?

Well done Dan :D

Thanks, I've been working on this since yesterday, and alway stuck in the same problem. When I do a "diagnose debug application sslvpn -1" on my Fortigate, I think the problem is right there: "[349:root:8f4]fsv_saml_login_response:477 No group info in SAML response.". I've recreate my claim, double (if not tripple) check my group IDs... but problem seems to be that no group information are sent from AzureAD.

Thanks you

GraniteDan, professionally done. I enjoyed watching. Do you have any thoughts on timer adjustments. I had heard when you go SAML that it is recommended to also adjust timers.

Can this be done without running a domain for our SSL Cert? I.e, running a cert to our public IP? We have no internal DNS so setting this up would be difficult for FQDN.

SSLVPN Azure SAML support on Smart Device such as Mobile and Tablet?

Do you need separate fortigate ssl vpn enterprise apps for separate fortigate firewalls?

On a FGT 40F I dont get a user found in the Azure Ad Group, how does one troubleshoot group translation? [215:root:2b]sslvpn_validate_user_group_list:1786 validating with SSL VPN authentication rules (1), realm ((null)). [215:root:2b]sslvpn_validate_user_group_list:1801 checking rule 1 cipher. [215:root:2b]sslvpn_validate_user_group_list:1809 checking rule 1 realm. [215:root:2b]sslvpn_validate_user_group_list:1820 checking rule 1 source intf. [215:root:2b]sslvpn_validate_user_group_list:1859 checking rule 1 vd source intf. [215:root:2b]sslvpn_validate_user_group_list:2178 rule 1 done, got user (0:0) group (1:0) peer group (0). [215:root:2b]sslvpn_validate_user_group_list:2506 got user (0:0), group (2:0) peer group (0). [215:root:2b]sslvpn_update_user_group_list:1734 got user (0:0), group (2:0), peer group (0) after update. [215:root:2b][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [ssl-azure-saml] in group [AAD-VPN_users] __samld_sp_create_auth_req [387]:

thanks bro

Where did you get gateway address to put in browser and Forticlient

Dan, Do you provide consulting services?

It's great tutorial. by the way, I found an error "Invalid HTTP request" when I tested. Could you advise, Dan? Thank you!

Hello Dan, great tutorial. If I'd enabled 2FA in Office 365 for those users, would that also work with the FortiVPN Client? That is, would I be able to setup 2FA without the need of an own radius server? Dan

can i use self signed certificate for azure saml ?

Hello, Grate video and solution. I have 5 Windows domains and 5 Fortigates. All 5 AD's are synchronized with one MS365 Tenant. This solutions works in this architecture? Thanks in advanced. AS

Anybody else have the issue when using the FQDN instead of the IP, that the reply response from the FortiGate is empty? DNS seems to resolve to the right IP. Entra succeeds when using the IP in the application config, but when using a DNS address, it seems to fail after authenticating due to a empty response.

Hi Dan, this video is very helpful, but I missed the MFA part. If I am not wrong, you didn't configure it. I can see that the systen asked username and password, but not a second factor (multi-factor or two-factor) authentication. No token or OTP of any sort.

My comprehension of client certificates is limited so bare with me. I have Azure SAML working thanks to your tutorial. Now I want to add client certificates to include company owned devices only. Is this possible? I've tried Azure Conditional Access with Hybrid Azure Joined devices restriction, but it does not seem supported in Forticlient (unsupported browser error). Is it just a matter of adding 'set ca' and 'set subject' to 'edit "ssl-azure-saml' ?

does this also work with ipsec?

Hello, several weeks I struggle to get it working... I have this famous "Invalid HTTP request" everytime I go the saml login URL. Tested almost everything, upgraded to 6.4.7.... any hint ?

noice!

When trying to import the remote certificate to the fortigate i get error "Basic constraints is absent for cert". Anyone else ever had that issue?

not working here, my vpn portal do not redirect do microsoft, if a access the saml address I have remote/saml/login invalid http request

About " **Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140): " please can you share the .pdf as the new link is not working ?

thank you - is this supported only on ver 7.x ?

Hello, do you have paid developer services? Are you a company

I am not able to import azure ad certificate in fortigate via remote certificate, I am using fortigate evaluation license

Hi, could you please tell me how to modify the count down time when the login page appear, my login page have only 10s time. (In your video it is 60s)

By using Azure AD Free license we can configure SAML to authenticate Fortigate SSL VPN?

Hi, does anyone know if you can apply Azure 2FA like this to authenticate against FG SSL VPN?

How can I have redundancy with SAML?

At about kzbin.info/www/bejne/pHWrY6qsq8p_qKs, you copied the FQDN but where should I get the FQDN in Fortigate from? Ive been trying to set up this configuration form yesterday but still stutcked on the way. Please help!! Kento from Japan.

@GraniteDan, what if iam using a different port other than 443 and also have some realms on my Fortigate i.e. my current remote gateway URL is: ...how do i configure SAML Basic Configuration URLS?