I spent the better part of 2 hours chasing this down, and it frustrated me. In my lab, I am running 7.0.2 and was rebuilding my SSL VPN integration with Azure. This is something I've done many times by now, and yet it would not work!
What would happen is I would authenticate, and then the browser session would hang for the longest time, and then I'd be redirected to my /remote/saml/login/ URL and get an error saying 'invalid http request'.
Running a debug on samld and sslvpnd I kept noticing something in the SAML debug after authentication that referred to an "invalid signature". After reviewing my settings for what seemed to be the thousandth time, I noticed this setting:
config user saml
edit "azure.saml.idp"
set cert "cert"
set entity-id "https://<ssl_vpn_fqdn>/remote/saml/metadata/"
set single-sign-on-url "https://<ssl_vpn_fqdn>/remote/saml/login/"
set single-logout-url "https://<ssl_vpn_fqdn>/remote/saml/logout/"
set idp-entity-id "https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/saml2"
set idp-cert "sso.azure"
set user-name "username"
set digest-method sha1
next
end
I did not recall seeing that in older configurations that I did on 6.4.x. I couldn't find anything in the release notes, or docs. So I decided to check out the values, it comes with 2 values:
set digest-method sha1
or
set digest-method sha256
I noticed the default seemed to be SHA1, so I figured what the heck, I'll try SHA256. Lo and behold, VPN started working!
In Summary:
If you're having trouble with SSL VPN and SAML using a 3rd party IdP on FortiOS 7.0, verify your SAML digest-method is set to the correct value. In the case for Microsoft's Azure AD, it's going to be SHA256.
Thank you for reading, I hope this helps.
Madman out!
Kommentare