Since I am tired of being a beta tester for Cisco products. I decided to try a different firewall this time around for my company. I looked at both Fortigate and Palo Alto as they seemed to be the leaders in the market right now. I did a bake off for features/functionality vs cost and Fortigate came out as the winner. The firewall was implemented with minimal issues and has been working flawlessly for us. While we were on this project we are also in the process of moving to Azure AD so I decided to combine the Microsoft MFA with our new firewall/vpn solution to save ourselves some money since then we wouldn’t need another 2 factor solution.
I went through the documentation from Fortigate and Microsoft on setting up the SAML authentication and it was pretty good for the most part. Here was the main document that I followed to get everything setup:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial
I did run into a few issues that I had to fix to get everything working with group memberships, so that users would be enabled to login based on their group and would have the correct policy applied to them.
Here are some things to be aware of and the changes I needed to make:
1. You must be on the 6.4.x code for Fortigate. There are issues with the lower code versions and SAML not working correctly or populating the tables with the necessary information.
2. Wipe out all of the extra entries under Users and Attributes Claims in Azure AD. This is all you should have:
3. Here is the necessary configuration on the Fortigate side:
config user saml
edit “azure”
set cert “Fortinet_Factory”
set entity-id “https://XXXXXXX/remote/saml/metadata”
set single-sign-on-url “https://XXXXXX/remote/saml/login”
set single-logout-url “https://SSSSSSSS/remote/saml/logout”
set idp-entity-id “https://sts.windows.net/6XXXXXXX/”
set idp-single-sign-on-url “https://login.microsoftonline.com/XXXXX/saml2”
set idp-single-logout-url “https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”
set idp-cert “REMOTE_Cert_2”
set user-name “username”
set group-name “group”
next
end
After these changes everything worked perfectly, I am now in the process of rolling out our new vpn to the users in the company along with the Microsoft MFA client.
Breathe-Underwater 
isn’t there an error in the AzureAD claims? For the group claims, its mentioned as groups but in the fortigate config,it’s defined as “group” without s ?
LikeLike
Nope that is correct. That’s why I put this together because the documentation isn’t correct from MS or Fortinet.
LikeLike
thanks for doing this but still, the “set group-name” should be “groups” if the claim for user.groups is defined as groups, no? How else will the fortigate know what the group identifier is, if “group” is used?
Also, I am trying to do the same here. via web-vpn SAML to azureAD directly works (SSO without extra login) but when trying forticlient 6.4, I effectively get a azureAD login screen after which the vpn connection fails. (FortiOS runs 6.2, cannot upgrade to 6.4 on this production machine yet)
LikeLike
I tried both and only group worked. You have to be at 6.4 though, won’t work at 6.2. I spent days troubleshooting 6.2 and opened a ticket with Fortinet on it. There are a bunch of bugs with 6.2 and it won’t recognize the group or user attributes at 6.2. There is also a bug that if the tunnel does get established it will only allow one way traffic. To make this work you have to be at 6.4. I would wait to try until you can upgrade.
LikeLike
thanks for your reply, I am still triggered as it works almost perfect using the web ssl-vpn. I have also logged a ticket. We’ll see. thanks.
LikeLike
Which url use in the forticlient?
LikeLike
In testing I instantly keep getting “invalid http request” when I try to access https://XXXXXX/remote/saml/login
I am on 6.4x
Any ideas ?
LikeLike
I never tried to login via that method. I was just using the FortiClient and doing the saml through that. I believe trying to use the fortigate as the saml client is a different configuration that I haven’t tried.
LikeLike
I am also having the same issue but so far not able to resolve. Were you able to work this problem out?
LikeLike