UltraNote: SAML SSL VPN settings changes
I spent the better part of 2 hours chasing this down, and it frustrated me. In my lab, I am running 7.0.2 and was rebuilding my SSL VPN integration with Azure. This is something I've done many times by now, and yet it would not work!
What would happen is I would authenticate, and then the browser session would hang for the longest time, and then I'd be redirected to my /remote/saml/login/ URL and get an error saying 'invalid http request'.
Running a debug on samld and sslvpnd I kept noticing something in the SAML debug after authentication that referred to an "invalid signature". After reviewing my settings for what seemed to be the thousandth time, I noticed this setting:
config user saml edit "azure.saml.idp" set cert "cert" set entity-id "https://<ssl_vpn_fqdn>/remote/saml/metadata/" set single-sign-on-url "https://<ssl_vpn_fqdn>/remote/saml/login/" set single-logout-url "https://<ssl_vpn_fqdn>/remote/saml/logout/" set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxx/" set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2" set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2" set idp-cert "sso.azure" set user-name "username" set digest-method sha1 next end
I did not recall seeing that in older configurations that I did on 6.4.x. I couldn't find anything in the release notes, or docs. So I decided to check out the values, it comes with 2 values:
set digest-method sha1 or set digest-method sha256
I noticed the default seemed to be SHA1, so I figured what the heck, I'll try SHA256. Lo and behold, VPN started working!
If you're having trouble with SSL VPN and SAML using a 3rd party IdP on FortiOS 7.0, verify your SAML digest-method is set to the correct value. In the case for Microsoft's Azure AD, it's going to be SHA256.
Thank you for reading, I hope this helps.