Home

FortiGate SSL VPN SAML SSO with Microsoft Entra ID: A Technical Investigation

.

Configure FortiGate SSL VPN single sign-on with Microsoft Entra ID using SAML. Step-by-step guide, troubleshooting, and security best practices.

The Architecture of Identity: How FortiGate and Entra ID Converge

Enterprise network access has evolved beyond static credentials. Organizations deploying FortiGate SSL VPN infrastructure increasingly seek integration with Microsoft Entra ID to centralize authentication, enforce conditional access policies, and streamline user provisioning. This investigation examines the technical mechanics, configuration prerequisites, and operational considerations for implementing SAML-based single sign-on between FortiGate SSL VPN and Microsoft Entra ID.

The integration operates on SAML 2.0 federation principles. FortiGate functions as the service provider (SP), while Entra ID assumes the identity provider (IdP) role. Authentication flows redirect users from the FortiGate portal to Entra ID's authorization endpoint, where credentials are validated before a signed assertion returns to FortiGate, establishing the VPN session.

Prerequisites and Foundational Requirements

Infrastructure Readiness

Successful deployment demands several baseline conditions. The FortiGate appliance must run FortiOS 6.2.0 or later, with SSL VPN functionality enabled and reachable via a public IP address or fully qualified domain name. Administrators require privileged access to both the FortiGate CLI and the Microsoft Entra admin center, with roles sufficient to register enterprise applications and manage SSO configurations.

Network connectivity between FortiGate and Microsoft endpoints must permit outbound HTTPS traffic to login.microsoftonline.com and related Azure AD domains. Time synchronization via NTP is non-negotiable; SAML assertions include timestamp validation, and clock skew exceeding five minutes will cause authentication failures.

Certificate Management

SSL/TLS certificates underpin both transport security and SAML assertion signing. FortiGate requires a server certificate for its SSL VPN listener, ideally issued by a publicly trusted certificate authority. Self-signed certificates function for testing but trigger client warnings and complicate certificate pinning in automated deployments.

Entra ID provides a SAML signing certificate during application registration. This certificate, exported in Base64 format, must be imported into FortiGate's certificate store as a remote certificate. Mismatched or expired certificates represent a frequent failure point during initial integration testing.

Configuring Microsoft Entra ID as SAML Identity Provider

Application Registration and SAML Parameters

Within the Entra admin center, administrators register FortiGate SSL VPN as an enterprise application. The configuration interface requires four critical URL values, each derived from the FortiGate deployment:

  • Identifier (Entity ID): https://<fortigate-fqdn>:<ssl-vpn-port>/remote/saml/metadata
  • Reply URL (Assertion Consumer Service): https://<fortigate-fqdn>:<ssl-vpn-port>/remote/saml/login
  • Sign-on URL: https://<fortigate-fqdn>:<ssl-vpn-port>/remote/saml/login
  • Logout URL: https://<fortigate-fqdn>:<ssl-vpn-port>/remote/saml/logout

Port numbers must match the SSL VPN listener configuration on FortiGate. Default deployments often use port 10443, but custom configurations vary.

Claim Mapping: The Bridge Between Systems

SAML assertions carry user identity and group membership data through claims. FortiGate expects two specific claims:

Claim Name Source Attribute Purpose
username user.userprincipalname Maps Entra ID user to FortiGate account
group user.groups Enables group-based authorization policies

Entra ID's claim configuration interface permits only a single group claim. Administrators must either modify the default user.groups claim to return "All groups" with a custom claim name of group, or delete the existing claim and recreate it with these parameters. Group Object IDs, rather than display names, provide more reliable matching in FortiGate policy rules.

FortiGate CLI Configuration: The Service Provider Perspective

SAML User Definition

FortiGate configuration proceeds via command-line interface. The SAML user object binds Entra ID metadata to local authentication logic:

config user saml     edit "entra-id"         set cert "FortiGate-SSL-Cert"         set entity-id "https://fortigate.example.com:10443/remote/saml/metadata"         set single-sign-on-url "https://fortigate.example.com:10443/remote/saml/login"         set single-logout-url "https://fortigate.example.com:10443/remote/saml/logout"         set idp-entity-id "https://sts.windows.net/<tenant-id>/"         set idp-single-sign-on-url "https://login.microsoftonline.com/<tenant-id>/saml2"         set idp-single-logout-url "https://login.microsoftonline.com/<tenant-id>/saml2"         set idp-cert "REMOTE_Cert_1"         set user-name "username"         set group-name "group"     next end

Attribute names in user-name and group-name must precisely match claim names configured in Entra ID. Case sensitivity matters.

Group-Based Authorization

FortiGate user groups enable policy enforcement based on Entra ID group membership. Configuration references the Object ID of the target security group:

config user group     edit "VPN-Users"         set member "entra-id"         config match             edit 1                 set server-name "entra-id"                 set group-name "a1b2c3d4-e5f6-7890-abcd-ef1234567890"             next         end     next end

Multiple group matches permit hierarchical access control. Administrators can define distinct groups for different resource tiers, applying granular firewall policies to each.

SSL VPN Portal and Policy Integration

Portal Configuration

Within FortiGate's SSL VPN settings, administrators enable the service, specify listening interfaces and ports, and assign the server certificate. Authentication/Portal Mapping links the previously defined user group to a portal template—typically "full-access" for tunnel mode or "web-access" for browser-based connections.

Firewall Policy Enforcement

Traffic authorization occurs through explicit firewall policies. The source interface references ssl.root, while source addresses include the SSL VPN address range and the authorized user group. Destination parameters define accessible internal resources. Policy order matters; more restrictive rules should precede permissive defaults.

Client-Side Connection Methods

Browser-Based Web Mode

Users navigate to https://<fortigate-fqdn>:<port> and select the Single Sign-On option. The browser redirects to Entra ID's authentication page. After successful credential validation and any required multi-factor authentication, the session returns to FortiGate's portal, where the user gains access to assigned resources.

FortiClient Tunnel Mode

FortiClient configuration requires enabling "Single Sign-On (SSO) for VPN Tunnel" within the connection profile. The "Use external browser for SAML authentication" option leverages the system browser for credential entry, preserving existing Entra ID sessions and reducing authentication prompts.

Diagnostic Procedures and Common Failure Modes

Debug Command Sequences

When authentication fails, FortiGate's diagnostic commands reveal assertion parsing and policy evaluation details:

diagnose debug reset diagnose debug application samld -1 diagnose debug application sslvpn -1 diagnose debug console timestamp enable diagnose debug enable

Output displays SAML attribute extraction, group matching results, and policy decision logic. Administrators should verify that username and group claims appear in the parsed assertion and that group Object IDs match configured values.

Recurring Configuration Errors

Several patterns emerge from deployment troubleshooting:

  • URL mismatches: Trailing slashes, HTTP versus HTTPS, or port discrepancies between Entra ID and FortiGate configurations break the SAML flow.
  • Claim name inconsistencies: FortiGate's set group-name value must exactly match Entra ID's custom claim name, including case.
  • Certificate validation failures: Expired certificates, untrusted certificate authorities, or hostname mismatches interrupt TLS handshakes.
  • Group claim limitations: Entra ID's single-group-claim restriction requires careful planning for organizations with complex group hierarchies.

FortiClient-Specific Considerations

Version incompatibilities between FortiClient and FortiGate can manifest as repeated authentication prompts or failed SAML redirects. Testing with the latest compatible client versions, and enabling external browser authentication, mitigates many client-side issues.

Security and Operational Best Practices

Certificate Lifecycle Management

Automated certificate renewal prevents service interruptions. Let's Encrypt integration via FortiGate's ACME client supports automated TLS certificate provisioning. For SAML signing certificates, administrators should establish renewal procedures aligned with Entra ID's certificate rotation policies.

Least-Privilege Group Design

Rather than granting blanket VPN access, organizations should define Entra ID security groups corresponding to specific access tiers. FortiGate policies can then enforce network segmentation, limiting user reach to necessary resources only.

Conditional Access Integration

Entra ID Conditional Access policies add contextual controls to VPN authentication. Administrators can require compliant devices, restrict access by location, or mandate multi-factor authentication for high-risk sign-ins. These policies evaluate during the Entra ID authentication phase, before the SAML assertion reaches FortiGate.

Logging and Audit Trails

FortiGate logs SAML authentication events to memory or FortiAnalyzer. Entra ID sign-in logs capture detailed authentication metadata. Correlating timestamps and user identifiers across both systems accelerates incident investigation and compliance reporting.

Frequently Asked Questions

What FortiOS versions support Microsoft Entra ID SAML SSO for SSL VPN?
FortiOS 6.2.0 introduced SAML SSO support for SSL VPN. Versions 7.0 and later include GUI-based SAML configuration wizards, though CLI commands remain universally compatible. FortiOS 7.6.3 deprecated SSL VPN tunnel mode in favor of agentless VPN and IPsec alternatives.

How do I handle multiple group claims from Entra ID?
Entra ID permits only one group claim in SAML assertions. Organizations requiring multiple group evaluations should either return all group Object IDs in a single claim and parse them within FortiGate, or use a single "VPN-authorized" group for access control while managing resource permissions through other mechanisms.

Why does authentication succeed but users cannot access network resources?
Successful SAML authentication establishes user identity but does not automatically grant network access. Administrators must verify that firewall policies reference the correct user group, that the SSL VPN address pool has sufficient addresses, and that routing permits traffic between the SSL VPN interface and target destinations.

Can I use conditional access policies with FortiGate SSL VPN SSO?
Yes. Conditional Access policies evaluate during Entra ID authentication, before the SAML assertion is issued. Policies requiring compliant devices, approved locations, or multi-factor authentication apply seamlessly to FortiGate VPN connections configured with Entra ID SSO.

What troubleshooting steps resolve "FNBAM_DENIED" errors?
This error indicates FortiGate's authentication daemon rejected the SAML assertion. Verify that the user-name and group-name attributes in FortiGate match Entra ID claim names exactly. Check that the imported IdP certificate matches the one downloaded from Entra ID. Enable SAML debugging to inspect assertion contents and policy evaluation results.