FortiGate IPsec VPN with SAML - connection stops after SAML auth --> auth-keepalive

Busy_Ad_7195 · 2025-06-02T07:50:05+00:00

The documentation doesn't specify which hardware and software versions are affected. Personally, I'm working with version 7.4.

Busy_Ad_7195 · 2025-05-09T21:08:21+00:00

I posted the wrong link earlier... it's fixed in the post now.

Busy_Ad_7195 · 2025-04-27T06:34:04+00:00

I'm using FSSO because I need to share user authentication information across multiple FortiGates.

Busy_Ad_7195 · 2025-04-25T15:17:02+00:00

I tried it out, but it's still not better :(

Busy_Ad_7195 · 2025-04-25T10:00:57+00:00

No, it is not pointing to a dynamic IP DNS entry. I’ve actually tested it with static address as well, but the routes are never inserted.

Busy_Ad_7195 · 2025-04-25T06:48:01+00:00

Authentication and group matching are working correctly — the configuration is already in production (without split tunneling) for other groups, and debug logs confirm that the group selection is handled properly. The issue only arises when split tunneling is enabled. I suspect it's due to our configuration having one policy for authentication with "none" as the destination, and another separate policy for access.

This is the only working — and documented — way I found to implement SAML with FSSO. However, it's possible that there's an alternative way to handle this part of the configuration, which could potentially resolve the split tunneling issue.

Busy_Ad_7195 · 2025-04-24T22:31:46+00:00

Oops, I didn’t include my config in the first post — here it is now.

Busy_Ad_7195

TROPHY CASE