Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Azure Administration Guide

    Home FortiGate Public Cloud 7.6.0 Azure Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

    Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

    This guide provides supplementary instructions on using SAML single sign on (SSO) to authenticate against Microsoft Entra ID with SSL VPN SAML user via tunnel and web modes. You can find the initial Azure configuration in Tutorial: Microsoft Entra SSO integration with FortiGate SSL VPN.

    Before you begin the FortiOS configuration, ensure that you collect the following information from Azure to use in the SAML configuration:

    FortiGate SAML CLI setting

    Equivalent Azure configuration

    Service provider (SP) entity ID (entity-id)

    Identifier (entity ID)

    SP assertion consumer service URL (single-sign-on-url)

    Reply URL (assertion consumer service URL)

    SP single logout URL (single-logout-url)

    Logout URL

    Identity provider (IdP) entity ID (idp-entity-id)

    Microsoft Entra ID identifier

    IdP assertion consumer service URL (idp-single-sign-on-url)

    Azure login URL

    IdP single logout URL (idp-single-logout-url)

    Azure logout URL

    IdP certificate (idp-cert)

    Base64 SAML certificate

    Username attribute (user-name)

    username

    Group name attribute (group-name)

    group
    Note

    Only a single group claim is allowed in the User Attributes & Claims section in Entra ID. You will need to delete the existing group claim and then add a new claim, or you can edit the existing group claim. With this approach, the end result is to change user.groups to All groups with a custom Claim Name of group.

    Alternatively, you can keep the existing group claim with default settings of user.groups set to Security Groups with Claim Name of http://schemas.microsoft.com/ws/2008/06/identity/claims/groups. This is a valid approach using the official claim name specified by Microsoft.

    Regardless of the approach chosen, you must ensure that in the FortiGate SAML SSO user settings, the set group-name value in the CLI or the Attribute used to identify groups in the GUI matches the Claim Name specified in the User Attributes & Claims section in the Entra ID SAML settings for the FortiGate SSL VPN enterprise application.
    To configure SAML SSO:
    1. In FortiOS, download the Azure IdP certificate as Configure Microsoft Entra SSO describes.
    2. Upload the certificate as Upload the Base64 SAML Certificate to the FortiGate appliance describes.
    3. In the FortiOS CLI, configure the SAML user.

      config user saml

      edit "azure"

      set cert "Fortinet_Factory"

      set entity-id "https://<FortiGate IP address or fully qualified domain name (FQDN)>:<Custom SSL VPN port>/remote/saml/metadata”

      set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"

      set single-logout-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/logout "

      set idp-entity-id "<Microsoft Entra ID identifier>"

      set idp-single-sign-on-url "<Azure login URL>"

      set idp-single-logout-url "<Azure logout URL>"

      set idp-cert "<Base64 SAML certificate name>"

      set user-name "username”

      set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

      next

      end

      In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

      config user saml

      edit "azure"

      set cert "Fortinet_Factory"

      set entity-id "https://104.40.18.242:10443/remote/saml/metadata"

      set single-sign-on-url "https://104.40.18.242:10443/remote/saml/login"

      set single-logout-url "https://104.40.18.242:10443/remote/saml/logout"

      set idp-entity-id "https://sts.windows.net/04e..."

      set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

      set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

      set idp-cert "<Base64 SAML certificate name>"

      set user-name "username"

      set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

      next

      end

      The user-name and group-name attributes configured on the FortiGate entry should exactly match the username and group attributes that Microsoft Entra ID returns. You can configure the list of SAML attributes that Microsoft Entra ID returns under Username Attributes & Claims in the Azure portal.

      When you edit the group claim and select Security groups as the groups associated with the user that should be returned in the claim, then Azure automatically adds a new claim name in the format http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.

      FortiGate can optionally map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Entra ID Group ObjectId, using the set group-name command:

      config user group

      edit FortiGateAccess

      set member azure

      config match

      edit 1

      set server-name azure

      set group-name <object ID>

      next

      end

      next

      end

      You can find the full list of group claims in Configure group claims for applications by using Microsoft Entra ID.

      Configure the remote authentication timeout value as needed:

      config system global

      set remoteauthtimeout 60

      end

    To configure SSL VPN settings:
    1. Go to VPN > SSL VPN Settings. Enable SSL VPN.
    2. Configure Listen on Interface(s).
    3. Configure the Listen on Port. This port should be the port used in the SP URLs in the SAML configurations.
    4. Select a server certificate. Fortinet_Factory is used by default. This certificate should match the SP certificate used in the SAML configurations.

      Self-signed certificates are provided by default to simplify initial installation and testing. Acquiring a signed certificate for your installation is HIGHLY recommended.

      Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

      For more information, see Use a non-factory SSL certificate for the SSL VPN portal and learn about Procuring and importing a signed SSL certificate.

    5. Under Authentication/Portal Mapping, click Create New.
    6. Set Users/Groups to the user group that you defined earlier. In this example, it is FortiGateAccess.
    7. Set Portal to the desired SSL VPN portal.
    8. Click OK.
    9. Click Apply.
    To configure a firewall policy:
    1. Go to Policy & Objects > Firewall Policy. Click Create new to create a new SSL VPN firewall policy.
    2. Select the incoming and outgoing interfaces. The incoming interface is the SSL VPN tunnel interface (ssl.root).
    3. For Source, select the SSL VPN tunnel address group and FortiGateAccess user group.
    4. Configure other settings as desired.
    5. Click OK.
    To connect in web mode:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On. The browser redirects to the Azure login portal.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
    To connect in tunnel mode with FortiClient:
    1. In FortiClient, go to Remote Access.
    2. Add a new connection:
      1. Enter the desired connection name and description.
      2. Set the remote gateway to the FortiGate's fully qualified domain name or IP address.
      3. Enable Customize port, then specify the SSL VPN port.
      4. Select Enable Single Sign On (SSO) for VPN Tunnel.
      5. (Optional) Enable Use external browser as user-agent for saml user authentication if you want users to use their browser session for login.
      6. Click Save.
    3. Click SAML Login. FortiClient redirects the user to the Azure login portal.
    4. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
    To troubleshoot:

    diagnose debug application samld -1

    diagnose debug application sslvpn -1

    The output should resemble the following:

    samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

    samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

    samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

    samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/'

    samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

    samld_send_common_reply [120]: Attr: 10, 49, 'Username' 'mremini@innovcenter.onmicrosoft.com'

    samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '3a0e3f1c-93c6-4be6-bdbe-b5d28a20cfa0'

    samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2'

    [924:root:5c]req: /remote/saml/start

    [924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

    [924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

    [924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

    [924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

    [924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

    [924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

    [924:root:0]total sslvpn policy count: 1

    [924:root:5c]req: /remote/saml/login

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

    [924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    [924:root:5c]rmt_web_session_create:781 create web session, idx[0]

    [924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]req: /sslvpn/portal.html

    [924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

    l_logout_url=yes

    [924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

    [924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

    l_logout_url=yes

    [919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

    total sslvpn policy count: 1

    [925:root:0]total sslvpn policy count: 1

    [923:root:7b]req: /remote/logout

    [923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

    [923:root:7b]session removed s: 0x7f5962887000 (root)

    [923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

    [923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

    [924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

    [924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

    [924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

    [924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

    [923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

    [923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

    [923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

    [923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

    [925:root:7a]SSL state:warning close notify (208.91.115.10)

    [925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

    [925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

    dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

    [925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

    [925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

    Previous
    Next

    Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

    Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

    This guide provides supplementary instructions on using SAML single sign on (SSO) to authenticate against Microsoft Entra ID with SSL VPN SAML user via tunnel and web modes. You can find the initial Azure configuration in Tutorial: Microsoft Entra SSO integration with FortiGate SSL VPN.

    Before you begin the FortiOS configuration, ensure that you collect the following information from Azure to use in the SAML configuration:

    FortiGate SAML CLI setting

    Equivalent Azure configuration

    Service provider (SP) entity ID (entity-id)

    Identifier (entity ID)

    SP assertion consumer service URL (single-sign-on-url)

    Reply URL (assertion consumer service URL)

    SP single logout URL (single-logout-url)

    Logout URL

    Identity provider (IdP) entity ID (idp-entity-id)

    Microsoft Entra ID identifier

    IdP assertion consumer service URL (idp-single-sign-on-url)

    Azure login URL

    IdP single logout URL (idp-single-logout-url)

    Azure logout URL

    IdP certificate (idp-cert)

    Base64 SAML certificate

    Username attribute (user-name)

    username

    Group name attribute (group-name)

    group
    Note

    Only a single group claim is allowed in the User Attributes & Claims section in Entra ID. You will need to delete the existing group claim and then add a new claim, or you can edit the existing group claim. With this approach, the end result is to change user.groups to All groups with a custom Claim Name of group.

    Alternatively, you can keep the existing group claim with default settings of user.groups set to Security Groups with Claim Name of http://schemas.microsoft.com/ws/2008/06/identity/claims/groups. This is a valid approach using the official claim name specified by Microsoft.

    Regardless of the approach chosen, you must ensure that in the FortiGate SAML SSO user settings, the set group-name value in the CLI or the Attribute used to identify groups in the GUI matches the Claim Name specified in the User Attributes & Claims section in the Entra ID SAML settings for the FortiGate SSL VPN enterprise application.
    To configure SAML SSO:
    1. In FortiOS, download the Azure IdP certificate as Configure Microsoft Entra SSO describes.
    2. Upload the certificate as Upload the Base64 SAML Certificate to the FortiGate appliance describes.
    3. In the FortiOS CLI, configure the SAML user.

      config user saml

      edit "azure"

      set cert "Fortinet_Factory"

      set entity-id "https://<FortiGate IP address or fully qualified domain name (FQDN)>:<Custom SSL VPN port>/remote/saml/metadata”

      set single-sign-on-url "https://<FortiGate IP address or FQDN>:<Custom SSL VPN port>/remote/saml/login"

      set single-logout-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/logout "

      set idp-entity-id "<Microsoft Entra ID identifier>"

      set idp-single-sign-on-url "<Azure login URL>"

      set idp-single-logout-url "<Azure logout URL>"

      set idp-cert "<Base64 SAML certificate name>"

      set user-name "username”

      set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

      next

      end

      In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

      config user saml

      edit "azure"

      set cert "Fortinet_Factory"

      set entity-id "https://104.40.18.242:10443/remote/saml/metadata"

      set single-sign-on-url "https://104.40.18.242:10443/remote/saml/login"

      set single-logout-url "https://104.40.18.242:10443/remote/saml/logout"

      set idp-entity-id "https://sts.windows.net/04e..."

      set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

      set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

      set idp-cert "<Base64 SAML certificate name>"

      set user-name "username"

      set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

      next

      end

      The user-name and group-name attributes configured on the FortiGate entry should exactly match the username and group attributes that Microsoft Entra ID returns. You can configure the list of SAML attributes that Microsoft Entra ID returns under Username Attributes & Claims in the Azure portal.

      When you edit the group claim and select Security groups as the groups associated with the user that should be returned in the claim, then Azure automatically adds a new claim name in the format http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.

      FortiGate can optionally map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Entra ID Group ObjectId, using the set group-name command:

      config user group

      edit FortiGateAccess

      set member azure

      config match

      edit 1

      set server-name azure

      set group-name <object ID>

      next

      end

      next

      end

      You can find the full list of group claims in Configure group claims for applications by using Microsoft Entra ID.

      Configure the remote authentication timeout value as needed:

      config system global

      set remoteauthtimeout 60

      end

    To configure SSL VPN settings:
    1. Go to VPN > SSL VPN Settings. Enable SSL VPN.
    2. Configure Listen on Interface(s).
    3. Configure the Listen on Port. This port should be the port used in the SP URLs in the SAML configurations.
    4. Select a server certificate. Fortinet_Factory is used by default. This certificate should match the SP certificate used in the SAML configurations.

      Self-signed certificates are provided by default to simplify initial installation and testing. Acquiring a signed certificate for your installation is HIGHLY recommended.

      Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

      For more information, see Use a non-factory SSL certificate for the SSL VPN portal and learn about Procuring and importing a signed SSL certificate.

    5. Under Authentication/Portal Mapping, click Create New.
    6. Set Users/Groups to the user group that you defined earlier. In this example, it is FortiGateAccess.
    7. Set Portal to the desired SSL VPN portal.
    8. Click OK.
    9. Click Apply.
    To configure a firewall policy:
    1. Go to Policy & Objects > Firewall Policy. Click Create new to create a new SSL VPN firewall policy.
    2. Select the incoming and outgoing interfaces. The incoming interface is the SSL VPN tunnel interface (ssl.root).
    3. For Source, select the SSL VPN tunnel address group and FortiGateAccess user group.
    4. Configure other settings as desired.
    5. Click OK.
    To connect in web mode:
    1. Go to https://<FortiGate IP address>:10443 in a browser.
    2. Click Single Sign-On. The browser redirects to the Azure login portal.
    3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
    To connect in tunnel mode with FortiClient:
    1. In FortiClient, go to Remote Access.
    2. Add a new connection:
      1. Enter the desired connection name and description.
      2. Set the remote gateway to the FortiGate's fully qualified domain name or IP address.
      3. Enable Customize port, then specify the SSL VPN port.
      4. Select Enable Single Sign On (SSO) for VPN Tunnel.
      5. (Optional) Enable Use external browser as user-agent for saml user authentication if you want users to use their browser session for login.
      6. Click Save.
    3. Click SAML Login. FortiClient redirects the user to the Azure login portal.
    4. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
    To troubleshoot:

    diagnose debug application samld -1

    diagnose debug application sslvpn -1

    The output should resemble the following:

    samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

    samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

    samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

    samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/'

    samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

    samld_send_common_reply [120]: Attr: 10, 49, 'Username' 'mremini@innovcenter.onmicrosoft.com'

    samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '3a0e3f1c-93c6-4be6-bdbe-b5d28a20cfa0'

    samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2'

    [924:root:5c]req: /remote/saml/start

    [924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

    [924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

    [924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

    [924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

    [924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

    [924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

    [924:root:0]total sslvpn policy count: 1

    [924:root:5c]req: /remote/saml/login

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

    [924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

    [924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    [924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    [924:root:5c]rmt_web_session_create:781 create web session, idx[0]

    [924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

    l_logout_url=no

    [924:root:5c]req: /sslvpn/portal.html

    [924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

    l_logout_url=yes

    [924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

    [924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

    [924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

    l_logout_url=yes

    [919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

    total sslvpn policy count: 1

    [925:root:0]total sslvpn policy count: 1

    [923:root:7b]req: /remote/logout

    [923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

    [923:root:7b]session removed s: 0x7f5962887000 (root)

    [923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

    [923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

    [924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

    [924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

    [924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

    [924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

    [923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

    [923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

    [923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

    [923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

    [925:root:7a]SSL state:warning close notify (208.91.115.10)

    [925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

    [925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

    dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

    [925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

    [925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

    Previous
    Next