SAML SSL VPN on versino 6.4.11 not working?

Ok-Yard-1964 · March 13, 2025, 2:23pm

Hi there!

I am trying to set up SAML SSL VPN up on my fortinet running version 6.4.11
I have a 7.0.8 and 7.2.2 where it works perfectly fine on, but I can’t get it to work on 6.4.11

I am using my own “guide” and the only difference is the error I get with the command:
“set digest-method sha1”

I get no other error messages.

This is how my setup looks:

User saml:
https://pasteboard.co/1iphENFZ3RGj.png

User group:
https://pasteboard.co/SU7p6JJxFFvW.png

Groups in GUI:
https://pasteboard.co/vso4j0KQf3Ju.png

Normally I would see the ssl-azure-vpn under the group on the right side, but its missing here.

Users in gui:
https://pasteboard.co/0XcBVL7vfb67.png

Normally the user shows up, but nothing here

Am I missing something in the older version, or maybe its not supposed?

OuchItBurnsWhenIP · March 13, 2025, 2:23pm

You need to be using “set digest-method sha256” for SAML via Azure AD I think.

Here is a supplementary guide to the Azure docs that I wrote if you want to compare configs: https://fortiblog.gitbook.io/fortinet/configuration-examples/saml-based-ssl-vpn-via-azure-ad

I’m running v7.0.7 in the config I’m referencing now, and I can see my SAML group in the GUI and that there is a “member” in this group of the Azure AD group reference ID (image).

Cloud_Legend · March 13, 2025, 2:23pm

The set digest command does not exist in 6.4

kangming716 · March 13, 2025, 2:23pm

In my own test environment, both V6.4.11 and V7.0.8 use Azure SAML SSL VPN normally, but forticlient V7.0.7 use external browser as user-agent for saml user authentication does not seem to work with FOS6.4.11, while it works fine in FOS7.0.8.

FOS6.4 should probably match FortiClient6.4.x.

If you use the browser for SAML login SSL VPN, everything is normal.

config user saml

edit "AZURE_SSLVPN_SAML"

set cert "vpnforyou"

set entity-id "https://XXX.fortiddns.com/remote/saml/metadata/"

set single-sign-on-url "https://XXX.fortiddns.com/remote/saml/login/"

set single-logout-url "https://XXX.fortiddns.com/remote/saml/logout/"

set idp-entity-id "https://sts.windows.net/942b80cd-1b14-42a1-8dcf-4b21dece61ba/"

set idp-single-sign-on-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"

set idp-single-logout-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"

set idp-cert "REMOTE_Cert_1"

set user-name "username"

set group-name "group"

next

end

config user group

edit "AZURE_SAML_SSLVPN_Group"

set member "AZURE_SSLVPN_SAML"

config match

edit 1

set server-name "AZURE_SSLVPN_SAML"

set group-name "e8cdf279-XXXX-436b-9154-24c71cb637be"

next

end

next

end

corposecguy · March 13, 2025, 2:23pm

Here I am with the same issue, SSL VPN used to work on previous version, but on 6.4.11 it doesn’t prompt for AAD MFA.

I wonder if you managed to resolve this issue?

Ok-Yard-1964 · March 13, 2025, 2:23pm

Thanks for the input.! I will try and see if digest-method works with 6.4.11 I am using it for my 7.x.x and there it works perfectly fine.

However, I have a couple of firewalls I’d like to keep at 6.4.11 and wanted to check if SAML works there as well.

Thanks for your link! I’ll check it out and test it

Cloud_Legend · March 13, 2025, 2:23pm

This looks correct.

What’s your SSL VPN settings look like?

I’m assuming you assigned it to an auth rule.

We use SAML on a ton of 6.4.10 environments

Ok-Yard-1964 · March 13, 2025, 2:23pm

Hey man!

I ended up giving up.

I upgraded to 7.0.x and it worked instantly. So I guess I’ll be going 7.0 or 7.2
I got some issues with ZTNA on 7.0.9 and got a case open with TAC support, that it might be a firmware bug.

Anyways, hope you get it to work. I’m ditching 6.4

Ok-Yard-1964 · March 13, 2025, 2:23pm

Hi there!
It looks like this: (Iam testing without a public certificate, just for fun. I do have one, but I have version 7.0.8 where it works without a public CA)

https://pasteboard.co/MiQLmY42YuR2.png

auth rule, are we talking about firewall rule?

Also, when connecting, it does prompt me for my windows login, however, the error is “Access Denied”

corposecguy · March 13, 2025, 2:23pm

For those stumbling upon this thread:

My issue was completely unrelated to the Firmware upgrade.
The AAD MFA Extension broke on the NPS server because of a certificate expired…
Just conveniently in the same time as our firmware upgrade.
I hate computers.

Ok-Yard-1964 · March 13, 2025, 2:23pm

Hi there,

I could not get it to work, the forticlient won’t connect. I tried googling everything, but I just can’t get it to work with 6.4.11, but it works fine with my 7.0.8

So I decided to create IPsec tunnels between the locations instead, and run the traffic through their HQ firewall instead.

But if it’s possible, I’d still love to know what I am missing in the older version.
To me it looks like I cannot add the group to the SAML config