• Matt Sherif

UltraNote: SAML SSL VPN settings changes

I spent the better part of 2 hours chasing this down, and it frustrated me. In my lab, I am running 7.0.2 and was rebuilding my SSL VPN integration with Azure. This is something I've done many times by now, and yet it would not work!

What would happen is I would authenticate, and then the browser session would hang for the longest time, and then I'd be redirected to my /remote/saml/login/ URL and get an error saying 'invalid http request'.

Running a debug on samld and sslvpnd I kept noticing something in the SAML debug after authentication that referred to an "invalid signature". After reviewing my settings for what seemed to be the thousandth time, I noticed this setting:

config user saml
    edit "azure.saml.idp"
        set cert "cert"
        set entity-id "https://<ssl_vpn_fqdn>/remote/saml/metadata/"
        set single-sign-on-url "https://<ssl_vpn_fqdn>/remote/saml/login/"
        set single-logout-url "https://<ssl_vpn_fqdn>/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxx/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
        set idp-cert "sso.azure"
        set user-name "username"
        set digest-method sha1

I did not recall seeing that in older configurations that I did on 6.4.x. I couldn't find anything in the release notes, or docs. So I decided to check out the values, it comes with 2 values:

set digest-method sha1
set digest-method sha256

I noticed the default seemed to be SHA1, so I figured what the heck, I'll try SHA256. Lo and behold, VPN started working!

In Summary:

If you're having trouble with SSL VPN and SAML using a 3rd party IdP on FortiOS 7.0, verify your SAML digest-method is set to the correct value. In the case for Microsoft's Azure AD, it's going to be SHA256.

Thank you for reading, I hope this helps.

Madman out!


Recent Posts

See All

In assisting a customer with the AD FS configuration we encountered some difficulties in redirection. The particular issue looked like this: User would would type in the SSL VPN URL User would be redi