https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/33053/outbound-firewall-authentication-with-microsoft-entra-id-as-a-saml-idp
I’ve been trying to integrate SAML authentication between FortiGate and Azure Active Directory, but despite everything being configured correctly, I’m encountering issues logging in.
Configuration:
- SAML settings on FortiGate are correctly configured, including Entity ID, Single Sign-On URL, Single Logout URL, and IDP Entity ID (matching the Azure AD SAML application).
The SAML assertion received from Azure AD contains the correct username and group values as per the FortiGate SAML configuration.
Reply URL and Assertion Consumer Service (ACS) URL in Azure AD are set to match FortiGate's settings.
SAML signing certificate is correctly set in both Azure and FortiGate.
Issue:
When trying to log in, after authentication through Azure AD, it redirects back to the FortiGate login page instead of granting access. Everything looks correct in the SAML response, but it doesn’t seem to pass the authentication in FortiGate.
What I’ve Checked:
SAML assertion contains the correct values.
Groups and user attributes match the configured settings in FortiGate and Azure AD.
Has anyone experienced this issue before? Any tips or things I might have overlooked?https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/33053/outbound-firewall-authentication-with-microsoft-entra-id-as-a-saml-idp
I’ve been trying to integrate SAML authentication between FortiGate and Azure Active Directory, but despite everything being configured correctly, I’m encountering issues logging in.
Configuration:
SAML settings on FortiGate are correctly configured, including Entity ID, Single Sign-On URL, Single Logout URL, and IDP Entity ID (matching the Azure AD SAML application).
The SAML assertion received from Azure AD contains the correct username and group values as per the FortiGate SAML configuration.
Reply URL and Assertion Consumer Service (ACS) URL in Azure AD are set to match FortiGate's settings.
SAML signing certificate is correctly set in both Azure and FortiGate.
Issue:
When trying to log in, after authentication through Azure AD, it redirects back to the FortiGate login page instead of granting access. Everything looks correct in the SAML response, but it doesn’t seem to pass the authentication in FortiGate.
What I’ve Checked:
SAML assertion contains the correct values.
Groups and user attributes match the configured settings in FortiGate and Azure AD.
Has anyone experienced this issue before? Any tips or things I might have overlooked?
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_dacd288d-7a2d-4b01-8974-7d5a18367777" Version="2.0" IssueInstant="2025-01-10T07:50:33.338Z" Destination="https://20.20.1.254:1024/remote/saml/login" InResponseTo="_x" > <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/x-2dee-419b-971f-x/</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_65bea932-0377-452f-a003-x" IssueInstant="2025-01-10T07:50:33.334Z" Version="2.0" > <Issuer>https://sts.windows.net/x-2dee-x-971f-x/</Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI="#_65bea932-0377-452f-a003-0c4ae0343f00"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>x+0aCBDD7jisr3FIGsXi8o=</DigestValue> </Reference> </SignedInfo> <SignatureValue>2wY95QTWQL3N+HZz3YPkr6KJprP9LoVlVNZG3NX3hBHi3VDBjnFzwAqO3Dn0ninbWsGeAzmGM8oG/9cOCWUEI9r7Wb6tOThX82uFWTqZm0iTPLneMGwvYfHVS0CMYJqZFgQ3ttn2+x+tgcuKtC9vWEKOOcpt3Koyj9OceQSJbuquXeJ2C2sLRmdwjBMWLffgrL7ErMyCCN/x+sSQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC8DCCAdigAwIBAgIQfFKk5+x/1JjD/x/rWSCcHmnHIXZaOADNmXwVRz+ycfFijF5erMbYw1spgtkI1Cs+LZ/DuR3TSyIoJp8CA7m4EsJU+x/0Y+cIa/7acEYbauY9z+x+cvRsc9VbNTZhRL/4DblNdnHgSfTMU5FblVCussplgasjm83X8IlPSBfiGjrTjXCjXYbjt6Q8rpuwRe/qiuQclRUnMFVxBQLBfvdA/ku3T9solt+x+mWJiPjf3q5MUCLJJHHF7J0JDf5FF7FbXjfuOBQ0R8KUUvpczUjk5MkXXO5cT3dJimen1INge4QPePs5og+Q18TgU+R9hDzHTUJWaEH3LVxY9T3rzOMXGQKnmb2gR2b/4DmH6hQ4BmT4+TkfCl6/3U+4eF01x+8J+x/Y1ce1LQ6zrNL2b1OYV23ipgpUSrWYPvsN9Lnl2MVVIK3LROUsoDJNQxC4wP22qR/BR+FVpOu7530QcND</X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">******@x-x.com</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_x" NotOnOrAfter="2025-01-10T08:50:33.244Z" Recipient="https://20.20.1.254:1024/remote/saml/login" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2025-01-10T07:45:33.244Z" NotOnOrAfter="2025-01-10T08:50:33.244Z" > <AudienceRestriction> <Audience>http://20.20.1.254:1024/remote/saml/metadata/</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"> <AttributeValue>x-2dee-419b-971f-x</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"> <AttributeValue>x-4305-x-ae3e-x</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"> <AttributeValue>x x</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"> <AttributeValue>https://sts.windows.net/x-2dee-419b-971f-x/</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"> <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509</AttributeValue> <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"> <AttributeValue>x-3ef9-x-8143-x</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>x</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>x</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>yx.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>y.x.com</AttributeValue> </Attribute> <Attribute Name="groups"> <AttributeValue>d3d85f03-09ad-4ee2-97e4-x</AttributeValue> <AttributeValue>686a0906-490f-4998-94f8-x</AttributeValue> <AttributeValue>dd34c51a-a59d-4891-a30c-x</AttributeValue> </Attribute> <Attribute Name="username"> <AttributeValue>x </AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2025-01-10T05:12:12.049Z" SessionIndex="_65bea932-0377-452f-a003-" > <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 53%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIY%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
