I've been pouring over the config documents from both Azure and Fortigate side for about a week preparing to get it done this week. Always helpful to see someone actually do it though and I'm really happy you left the troubleshooting in there. Invaluable! Liked and subscribed sir, thank you!
Thank you Dan! I was able to setup the same within 1.5 hours thanks to your vid. If anyone cares: If using FIDO2 key (passwordless), you have to select the option in the Forticlient VPN profile to authenticate using the browser.
When I was notice a 48 mins video about this theme, I said "sure it is so boring this video", but when I finish, I immediately pushed that suscribe and "I like" button. Thanks a lot for your video and explanation "una joyita de video"
Great, Thank you! This works out perfectly!! Multiple groups with different access and I was also able to configure access to go over a S2S VPN as well.
Great vid. My free Azure account would not allow me to add groups to the FortigateSSL enterprise app thingy in Azure, only users. But, you could kick it a bit on the login and could evenutally get to the SSL portal. Thanks for the useful video and info. Make more vids!
Fantastic! one question: There seems to be a limitation on 7.0.9 to add multiple saml server to a group. Is there a way around this without recreating the same firewall policies for different saml servers
Thank you very much for this video. I had an issue with the step where I had to setup the custom "username" claim attribute on the Azure side and the documentation and other tutorials don't clearly state what to do there.
Thank You for this video. It was a pleasure to watch. Just one question here. There was no prompt for MFA. How does that work? How can I set that up if I want my users to receive OTP/Notification to be able to connect to VPN? Please help.
Good morning Dan, really nice video and well explained. I was just wondering, in the ssl settings in the Authentication/ Portal Mapping if i create a mapping to a new portal for azure and I also have a mapping for a group of local user of fw to connect to the portal full-access for example. When my users with local account will connect to the fw via forticlient, will they get the azure windows also ? I would like to keep these users connecting without the azure portal but also that some groups gets azure windows.
Great tutorial :) Helped me understand a lot. 2 questions 1. In what case would you integrate this WITH Fortiauthenticator? 2. Can you use a private CA that all devices using the VPN have as a trusted CA, or must it be public?
Hey there, for the first question I am uncertain when you would integrate this with FortiAuthenticator. I don't use FortiAuthenticator, and wanted to set this up so that I could secure our remote access VPNs while maintaining a single MFA Provider and maximizing the benefits of our Azure AD subscription. As for your second question I expect that as long as your clients trust the certificate you are using on your Fortigate you should be able to use a private CA. I have not done this, but it would stand to reason that it should work.
One of the reasons you would integrate this with FortiAuthenticator is if you have multiple FortiGates in your environment for example. FortiAuthenticator can centralize all your users (And respective FortiTokens, if any) and provide the same kind of access to multiple devices in your network. Without a FAC in this scenario, you'd have to replicate the configuration to all FortiGates. And yes, you can use self-signed certificates just fine, they're just not as secure.
Thanks, great video. I was stuck when I forgot to add the new group to my existing policy, then I found your video at 29:06 strange that it wouldn't even let you sign in without a policy.
GraniteDan, professionally done. I enjoyed watching. Do you have any thoughts on timer adjustments. I had heard when you go SAML that it is recommended to also adjust timers.
I the remote auth timeout to 90 seconds some time ago. It may have been a recommendation by Duo when we used them. It has worked well for us. I have also setup other environments with 60 second timeouts for remote auth with no manjor issue. It is really just buying time for folks to dig their phone out, and respond to MFA challenge.
Great work Dan, Is it possible to allow guest access to VPN? I am try to use Azure B2B cross tenant collaboration. Wants to allow guest accounts to authenticate using their own email addresses.
Can this be done without running a domain for our SSL Cert? I.e, running a cert to our public IP? We have no internal DNS so setting this up would be difficult for FQDN.
Thanks, I've been working on this since yesterday, and alway stuck in the same problem. When I do a "diagnose debug application sslvpn -1" on my Fortigate, I think the problem is right there: "[349:root:8f4]fsv_saml_login_response:477 No group info in SAML response.". I've recreate my claim, double (if not tripple) check my group IDs... but problem seems to be that no group information are sent from AzureAD.
It certainly sounds that way. Have you assigned groups to the application? If you would like we may be able to communicate directly over email to discuss your claim configuration etc. My email is dparr@granite-it.net.
As Per our email conversation I am pasting here to benefit the community. I have also added to the video description. No group info in SAML response: Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.so, you need to use the option "groups assigned to the application" under User attributes and claims | add a group claim
Hello, thank you for this video. I have a question: is the 7.0 required to use this feature or it works on 6.0? Can i use this type of authentication to grant internet access based on web filtering profile?
On a FGT 40F I dont get a user found in the Azure Ad Group, how does one troubleshoot group translation? [215:root:2b]sslvpn_validate_user_group_list:1786 validating with SSL VPN authentication rules (1), realm ((null)). [215:root:2b]sslvpn_validate_user_group_list:1801 checking rule 1 cipher. [215:root:2b]sslvpn_validate_user_group_list:1809 checking rule 1 realm. [215:root:2b]sslvpn_validate_user_group_list:1820 checking rule 1 source intf. [215:root:2b]sslvpn_validate_user_group_list:1859 checking rule 1 vd source intf. [215:root:2b]sslvpn_validate_user_group_list:2178 rule 1 done, got user (0:0) group (1:0) peer group (0). [215:root:2b]sslvpn_validate_user_group_list:2506 got user (0:0), group (2:0) peer group (0). [215:root:2b]sslvpn_update_user_group_list:1734 got user (0:0), group (2:0), peer group (0) after update. [215:root:2b][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [ssl-azure-saml] in group [AAD-VPN_users] __samld_sp_create_auth_req [387]:
Hello, several weeks I struggle to get it working... I have this famous "Invalid HTTP request" everytime I go the saml login URL. Tested almost everything, upgraded to 6.4.7.... any hint ?
Hello, Grate video and solution. I have 5 Windows domains and 5 Fortigates. All 5 AD's are synchronized with one MS365 Tenant. This solutions works in this architecture? Thanks in advanced. AS
Great content Dan. For my understanding, I wonder could someone give me the highlevel sequence of events here, in terms if the token / authentication flow mechanism?
Hello Dan, great tutorial. If I'd enabled 2FA in Office 365 for those users, would that also work with the FortiVPN Client? That is, would I be able to setup 2FA without the need of an own radius server? Dan
Hello Grokit, Yes this is the beauty of setting up the Fortigate ssl vpn to use Azure AD MFA. Users get a seamless single sign-on experience. And the MFA solution extends to both application, as well as any other registered enterprise applications you setup in Azure AD.
Hi Dan, this video is very helpful, but I missed the MFA part. If I am not wrong, you didn't configure it. I can see that the systen asked username and password, but not a second factor (multi-factor or two-factor) authentication. No token or OTP of any sort.
Rob, thanks I didn’t get into MFA other than maybe mentioning it. Azure AD handles the MFA side of things if you have MFA enabled either per user for via conditional access you will get prompted for MFA just like you would when logging into M365 or any other app.
My comprehension of client certificates is limited so bare with me. I have Azure SAML working thanks to your tutorial. Now I want to add client certificates to include company owned devices only. Is this possible? I've tried Azure Conditional Access with Hybrid Azure Joined devices restriction, but it does not seem supported in Forticlient (unsupported browser error). Is it just a matter of adding 'set ca' and 'set subject' to 'edit "ssl-azure-saml' ?
Sorry for the delay I am not sure if you have gotten to the bottom of this. The client certificates requirement is setup in the SSL VPN settings on the fortigate. I would check the documentation around using client certificates, but this article might also start you down the right road... packetplant.com/fortigate-ssl-vpn-and-2fa-using-certificate-and-username/
About " **Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140): " please can you share the .pdf as the new link is not working ?
I do not know if this would be a limitation of the evaluation license or not. Validate you are downloading the correct version of the certificate. Do you get an error? Option not there?
The Fortinet doc I used is from ver 6.2 I am not sure it it goes back any further than that. I only used 7.0 in my lab to be able to take advantage of the new features for Let's Encrypt certificates.
@@dondbg3751 Hello Don, I am interested in the way you implemented 2FA. What does "FAC" mean? And do you have any kind of pointer to some more documentation? That would be great. Regards, Dan
I am fairly certain that you are able to setup 10 enterprise apps for sso with the free licnese so your Fortigate SSL VPN could be one of these. But I would strongly recommend that you validate that info with Microsoft. Here is some additional MS documentation: docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
@@GraniteDan I only see azure authentication with username/password. But I'm new to azure, I probably don't fully understand the 2FA process of azure. Afaik you need to accept the 2FA f.e. on your phone. The login procedure on SSL VPN doesn't show a page where it is waiting for acceptance of the 2FA.
@@Heineken1712 MFA is wholly managed by Azure AD. When it is enabled either per user or by conditional access and you are authenticating with Azure AD via SAML the user will receive the MFA prompts just as they do when logging into Any Office 365 cloud apps etc.
@@wascarreyes01 I don't believe this would be required. If all of the users exist in the same Azure AD. Should be able to setup a Single server and then allow specific groups.
@@wascarreyes01 If your public IP goes down then your users probably won’t be able to connect to the SSL VPN. For that level of redundancy you could look at multiple connections, SDWAN, and some load balancing for the FQDN that users are connecting to.
At about th-cam.com/video/nDH2wvveLrI/w-d-xo.html, you copied the FQDN but where should I get the FQDN in Fortigate from? Ive been trying to set up this configuration form yesterday but still stutcked on the way. Please help!! Kento from Japan.
@GraniteDan, what if iam using a different port other than 443 and also have some realms on my Fortigate i.e. my current remote gateway URL is: ...how do i configure SAML Basic Configuration URLS?
I don't have experience with realms etc with ssl VPN. I would recommend reviewing documentation and possible engaging support or your SE. If you get to the bottom of this please let the rest of us know.
Michah Today i was reviewing the release notes of Forticlient 7.0.1 and it seems to indicate that realms are not supported when using SAML authentication. Maybe next version...
I've been pouring over the config documents from both Azure and Fortigate side for about a week preparing to get it done this week. Always helpful to see someone actually do it though and I'm really happy you left the troubleshooting in there. Invaluable! Liked and subscribed sir, thank you!
One of the best fortigate SSL VPN integration with azure AD using SAML tutorial
Thank you Dan! I was able to setup the same within 1.5 hours thanks to your vid.
If anyone cares: If using FIDO2 key (passwordless), you have to select the option in the Forticlient VPN profile to authenticate using the browser.
When I was notice a 48 mins video about this theme, I said "sure it is so boring this video", but when I finish, I immediately pushed that suscribe and "I like" button.
Thanks a lot for your video and explanation
"una joyita de video"
Great video. Really enjoyed how you showed the whole process including the small issues you ran into.
Great, Thank you! This works out perfectly!! Multiple groups with different access and I was also able to configure access to go over a S2S VPN as well.
Glad it helped!
hey David how did you configure S2S vpn with SAML?
Best content in the subject for months in the subject I have come across. Thank you
Dude thank you! One thing to note, is that you dont need the quotes anymore on 7.2.8 firmware.
absolute genius. straight forward and easy to follow
Top notch demonstration. I'll be implementing this soon and this video is a great resource to have.
Great Video! I am using in version 6.2.9 too
Thanks a ton for the great Video. Each and every step in detail.
Very glad you found this helpful..
Thank you for creating this content Dan. Great video and instructions. It was incredibly helpful.
great video. really informative .well organized and detailed. thanks for sharing. would like to see more upload from you.
Excellent video. Thanks for all your help!
Thanks for taking the time providing this great guide
My pleasure!
Excellent video Dan! thank you so much
Great vid. My free Azure account would not allow me to add groups to the FortigateSSL enterprise app thingy in Azure, only users. But, you could kick it a bit on the login and could evenutally get to the SSL portal. Thanks for the useful video and info. Make more vids!
Awesome video, 100% :)
Thanks for posting this. This really helped me.
I would like to thank you for this amazing video. Really helpful
I am very glad that you enjoyed it
Hi. I have a problem with the client . Log show a problem with connect to server error 6500
excellent work, thank you very much!
Very good and useful video. Thank you very much
Glad it was helpful!
Very informative. Thankyou
Very nice explanation
Thanks great detailed video
Fantastic! one question: There seems to be a limitation on 7.0.9 to add multiple saml server to a group. Is there a way around this without recreating the same firewall policies for different saml servers
Add multiple groups to the firewall policy.
@@GraniteDan Tried this, the issue is the same. Not able to add 2 different user groups(referencing two different saml server) to a firewall policy
Thank you for the video
great sharing.
Thank you very much for this video. I had an issue with the step where I had to setup the custom "username" claim attribute on the Azure side and the documentation and other tutorials don't clearly state what to do there.
Thank You for this video. It was a pleasure to watch. Just one question here. There was no prompt for MFA. How does that work? How can I set that up if I want my users to receive OTP/Notification to be able to connect to VPN? Please help.
Well done Dan :D
This is great, thank you! Can you share the process for creating the SSL cert via Let's Encrypt?
Where did you get gateway address to put in browser and Forticlient
Good morning Dan, really nice video and well explained. I was just wondering, in the ssl settings in the Authentication/ Portal Mapping if i create a mapping to a new portal for azure and I also have a mapping for a group of local user of fw to connect to the portal full-access for example. When my users with local account will connect to the fw via forticlient, will they get the azure windows also ? I would like to keep these users connecting without the azure portal but also that some groups gets azure windows.
Great tutorial :) Helped me understand a lot. 2 questions
1. In what case would you integrate this WITH Fortiauthenticator?
2. Can you use a private CA that all devices using the VPN have as a trusted CA, or must it be public?
Hey there, for the first question I am uncertain when you would integrate this with FortiAuthenticator. I don't use FortiAuthenticator, and wanted to set this up so that I could secure our remote access VPNs while maintaining a single MFA Provider and maximizing the benefits of our Azure AD subscription.
As for your second question I expect that as long as your clients trust the certificate you are using on your Fortigate you should be able to use a private CA. I have not done this, but it would stand to reason that it should work.
One of the reasons you would integrate this with FortiAuthenticator is if you have multiple FortiGates in your environment for example. FortiAuthenticator can centralize all your users (And respective FortiTokens, if any) and provide the same kind of access to multiple devices in your network. Without a FAC in this scenario, you'd have to replicate the configuration to all FortiGates.
And yes, you can use self-signed certificates just fine, they're just not as secure.
@@GraniteDan Is it possible to use the Azure saml as identity agent to use in policies? (Like FSSO enables with on prem AD?)
Thanks, great video.
I was stuck when I forgot to add the new group to my existing policy, then I found your video at 29:06 strange that it wouldn't even let you sign in without a policy.
GraniteDan, professionally done. I enjoyed watching. Do you have any thoughts on timer adjustments. I had heard when you go SAML that it is recommended to also adjust timers.
I the remote auth timeout to 90 seconds some time ago. It may have been a recommendation by Duo when we used them. It has worked well for us. I have also setup other environments with 60 second timeouts for remote auth with no manjor issue. It is really just buying time for folks to dig their phone out, and respond to MFA challenge.
Great Job!
Great Content...
Great work Dan, Is it possible to allow guest access to VPN? I am try to use Azure B2B cross tenant collaboration.
Wants to allow guest accounts to authenticate using their own email addresses.
Once we've integrated with Azure AD, I always need to enter a username and password? Can you make me remember the username after choose SAML login?
Hi Dan, My forinet is running in AWS and I want to connect with Azure same like this video, Do I need to allow any ports in Azure and AWS vice versa?
Dan, Do you provide consulting services?
Can this be done without running a domain for our SSL Cert? I.e, running a cert to our public IP?
We have no internal DNS so setting this up would be difficult for FQDN.
Do you need separate fortigate ssl vpn enterprise apps for separate fortigate firewalls?
Thanks, I've been working on this since yesterday, and alway stuck in the same problem. When I do a "diagnose debug application sslvpn -1" on my Fortigate, I think the problem is right there: "[349:root:8f4]fsv_saml_login_response:477 No group info in SAML response.". I've recreate my claim, double (if not tripple) check my group IDs... but problem seems to be that no group information are sent from AzureAD.
It certainly sounds that way. Have you assigned groups to the application? If you would like we may be able to communicate directly over email to discuss your claim configuration etc. My email is dparr@granite-it.net.
As Per our email conversation I am pasting here to benefit the community. I have also added to the video description.
No group info in SAML response:
Azure Active Directory limits the number of groups it will emit in a token to 150 for SAML assertions, and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted and a link to the Graph endpoint to obtain group information is included instead.so, you need to use the option "groups assigned to the application" under User attributes and claims | add a group claim
Hello, thank you for this video. I have a question: is the 7.0 required to use this feature or it works on 6.0? Can i use this type of authentication to grant internet access based on web filtering profile?
It's great tutorial.
by the way, I found an error "Invalid HTTP request" when I tested. Could you advise, Dan? Thank you!
not working here, my vpn portal do not redirect do microsoft, if a access the saml address I have remote/saml/login invalid http request
On a FGT 40F I dont get a user found in the Azure Ad Group,
how does one troubleshoot group translation?
[215:root:2b]sslvpn_validate_user_group_list:1786 validating with SSL VPN authentication rules (1), realm ((null)).
[215:root:2b]sslvpn_validate_user_group_list:1801 checking rule 1 cipher.
[215:root:2b]sslvpn_validate_user_group_list:1809 checking rule 1 realm.
[215:root:2b]sslvpn_validate_user_group_list:1820 checking rule 1 source intf.
[215:root:2b]sslvpn_validate_user_group_list:1859 checking rule 1 vd source intf.
[215:root:2b]sslvpn_validate_user_group_list:2178 rule 1 done, got user (0:0) group (1:0) peer group (0).
[215:root:2b]sslvpn_validate_user_group_list:2506 got user (0:0), group (2:0) peer group (0).
[215:root:2b]sslvpn_update_user_group_list:1734 got user (0:0), group (2:0), peer group (0) after update.
[215:root:2b][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [ssl-azure-saml] in group [AAD-VPN_users]
__samld_sp_create_auth_req [387]:
thanks bro
can i use self signed certificate for azure saml ?
SSLVPN Azure SAML support on Smart Device such as Mobile and Tablet?
noice!
Do u have a video explaining integrating FG with adfs using SAML
Hello, several weeks I struggle to get it working... I have this famous "Invalid HTTP request" everytime I go the saml login URL. Tested almost everything, upgraded to 6.4.7.... any hint ?
Unfortunately I don't have much to go on there. What SAML Login URL do you mean, is it the Fortigate SSL VPN Web Portal or somewhere else?
Hello,
Grate video and solution.
I have 5 Windows domains and 5 Fortigates. All 5 AD's are synchronized with one MS365 Tenant. This solutions works in this architecture?
Thanks in advanced.
AS
It works, yes.
Thanks you
No Problem. I looked for this solution for a long time. Once I got it working I had to share the solution with others.
Great content Dan. For my understanding, I wonder could someone give me the highlevel sequence of events here, in terms if the token / authentication flow mechanism?
Hello Dan, great tutorial. If I'd enabled 2FA in Office 365 for those users, would that also work with the FortiVPN Client? That is, would I be able to setup 2FA without the need of an own radius server?
Dan
Hello Grokit, Yes this is the beauty of setting up the Fortigate ssl vpn to use Azure AD MFA. Users get a seamless single sign-on experience. And the MFA solution extends to both application, as well as any other registered enterprise applications you setup in Azure AD.
Hi Dan, this video is very helpful, but I missed the MFA part. If I am not wrong, you didn't configure it. I can see that the systen asked username and password, but not a second factor (multi-factor or two-factor) authentication. No token or OTP of any sort.
Rob, thanks I didn’t get into MFA other than maybe mentioning it. Azure AD handles the MFA side of things if you have MFA enabled either per user for via conditional access you will get prompted for MFA just like you would when logging into M365 or any other app.
My comprehension of client certificates is limited so bare with me. I have Azure SAML working thanks to your tutorial. Now I want to add client certificates to include company owned devices only. Is this possible? I've tried Azure Conditional Access with Hybrid Azure Joined devices restriction, but it does not seem supported in Forticlient (unsupported browser error). Is it just a matter of adding 'set ca' and 'set subject' to 'edit "ssl-azure-saml' ?
Sorry for the delay I am not sure if you have gotten to the bottom of this. The client certificates requirement is setup in the SSL VPN settings on the fortigate. I would check the documentation around using client certificates, but this article might also start you down the right road... packetplant.com/fortigate-ssl-vpn-and-2fa-using-certificate-and-username/
Hello, do you have paid developer services? Are you a company
About
"
**Note: It seems the Documentation from Fortinet has been taken down Please find this link to an alternate PDF copy of the doc (See pg 140):
"
please can you share the .pdf as the new link is not working ?
docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/584456/configuring-saml-sso-login-for-ssl-vpn-web-mode-with-azure-ad-acting-as-saml-idp
I am not able to import azure ad certificate in fortigate via remote certificate, I am using fortigate evaluation license
I do not know if this would be a limitation of the evaluation license or not. Validate you are downloading the correct version of the certificate. Do you get an error? Option not there?
does this also work with ipsec?
When trying to import the remote certificate to the fortigate i get error "Basic constraints is absent for cert". Anyone else ever had that issue?
thank you - is this supported only on ver 7.x ?
The Fortinet doc I used is from ver 6.2 I am not sure it it goes back any further than that. I only used 7.0 in my lab to be able to take advantage of the new features for Let's Encrypt certificates.
@@GraniteDan I had to use FAC to get this going - and MFA work as well...
@@dondbg3751 Hello Don, I am interested in the way you implemented 2FA. What does "FAC" mean? And do you have any kind of pointer to some more documentation? That would be great.
Regards, Dan
By using Azure AD Free license we can configure SAML to authenticate Fortigate SSL VPN?
I am fairly certain that you are able to setup 10 enterprise apps for sso with the free licnese so your Fortigate SSL VPN could be one of these. But I would strongly recommend that you validate that info with Microsoft.
Here is some additional MS documentation:
docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal
Yes, you can. And with some advanced config on Azure, we can force user using VPN with passwordless. FIDO2 or Microsoft Authenticator by your own
not with a conditional access rule, it requires a P1 licence. It will work without it, but you wouldnt compliant.
@@jdmarchand how we could Force MFA without using Conditional access rule that required a P1 License?
Hi, could you please tell me how to modify the count down time when the login page appear, my login page have only 10s time. (In your video it is 60s)
From the Cli issue the following command
config system global
set remoteauthtimeout
end
@@GraniteDan Thanks a lot! It works!
Hi, does anyone know if you can apply Azure 2FA like this to authenticate against FG SSL VPN?
That is exactly what the video shows you how to do.
@@GraniteDan I only see azure authentication with username/password. But I'm new to azure, I probably don't fully understand the 2FA process of azure. Afaik you need to accept the 2FA f.e. on your phone. The login procedure on SSL VPN doesn't show a page where it is waiting for acceptance of the 2FA.
@@Heineken1712 MFA is wholly managed by Azure AD. When it is enabled either per user or by conditional access and you are authenticating with Azure AD via SAML the user will receive the MFA prompts just as they do when logging into Any Office 365 cloud apps etc.
How can I have redundancy with SAML?
What sort of redundancy are you looking for?
@@GraniteDan we have multiple interfaces configured on SSL VPN, the question really is, should I create two multiple instances in Azure AD as well?
@@wascarreyes01 I don't believe this would be required. If all of the users exist in the same Azure AD. Should be able to setup a Single server and then allow specific groups.
@@GraniteDan What if my firewall’s public IP goes down?
@@wascarreyes01 If your public IP goes down then your users probably won’t be able to connect to the SSL VPN. For that level of redundancy you could look at multiple connections, SDWAN, and some load balancing for the FQDN that users are connecting to.
At about th-cam.com/video/nDH2wvveLrI/w-d-xo.html, you copied the FQDN but where should I get the FQDN in Fortigate from? Ive been trying to set up this configuration form yesterday but still stutcked on the way. Please help!! Kento from Japan.
@GraniteDan, what if iam using a different port other than 443 and also have some realms on my Fortigate i.e. my current remote gateway URL is: ...how do i configure SAML Basic Configuration URLS?
I don't have experience with realms etc with ssl VPN. I would recommend reviewing documentation and possible engaging support or your SE. If you get to the bottom of this please let the rest of us know.
Michah Today i was reviewing the release notes of Forticlient 7.0.1 and it seems to indicate that realms are not supported when using SAML authentication. Maybe next version...