Fortinet black logo

Azure Administration Guide

Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

Copy Link
Copy Doc ID a1b148db-687a-11ea-9384-00505692583a:584456
Download PDF

Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

This guide provides supplementary instructions on using SAML single sign on (SSO) to authenticate against Microsoft Entra ID (formerly known as Azure Active Directory) with SSL VPN SAML user via tunnel and web modes. You can find the initial Azure configuration in Tutorial: Microsoft Entra SSO integration with FortiGate SSL VPN

Before you begin the FortiOS configuration, ensure that you have collected the following information from Azure to use in the SAML configuration:

FortiGate SAML CLI setting

Equivalent Azure configuration

Service provider (SP) entity ID (entity-id)

Identifier (entity ID)

SP single sign on (SSO) URL (single-sign-on-url)

Reply URL (assertion consumer service URL)

SP single logout URL (single-logout-url)

Logout URL

Identity provider (IdP) entity ID (idp-entity-id)

Azure login URL

IdP SSO URL (idp-single-sign-on-url)

Entra ID identifier

IdP single logout URL (idp-single-logout-url)

Azure logout URL

IdP certificate (idp-cert)

Base64 SAML certificate

Username attribute (user-name)

username

Group name attribute (group-name)

group

To configure SAML SSO:
  1. In FortiOS, download the Azure IdP certificate as Configure Microsoft Entra SSO describes.
  2. Upload the certificate as Upload the Base64 SAML Certificate to the FortiGate appliance describes.
  3. In the FortiOS CLI, configure the SAML user:

    config user saml

    edit "azure"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/metadata”

    set single-sign-on-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/logout "

    set idp-entity-id "<Entra ID identifier>"

    set idp-single-sign-on-url "<Azure login URL>"

    set idp-single-logout-url "<Azure logout URL>"

    set idp-cert "<Base64 SAML certificate name>"

    set user-name "username”

    set group-name “group”

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "azure"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242:10443/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242:10443/remote/saml/login"

    set single-logout-url "https://104.40.18.242:10443/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-cert "<Base64 SAML certificate name>"

    set user-name "username"

    set group-name "group"

    next

    end

    The user-name and group-name attributes configured on the FortiGate entry should exactly match the username and group attributes that Entra ID returns. You can configure the list of SAML attributes that Entra ID returns under Username Attributes & Claims in the Azure portal.

    FortiGate can optionally map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Entra ID Group ObjectId, using the set group-name command:

    config user group

    edit FortiGateAccess

    set member azure

    config match

    edit 1

    set server-name azure

    set group-name <object ID>

    next

    end

    next

    end

    You can find the full list of group claims in Configure group claims for applications by using Microsoft Entra ID.

    Configure the remote authentication timeout value as needed:

    config system global

    set remoteauthtimeout 60

    end

To configure SSL VPN settings:
  1. Go to VPN > SSL VPN Settings. Enable SSL VPN.
  2. Configure the Listen on Interface(s).
  3. Configure the Listen on Port. This port should be the port used in the SP URLs in the SAML configurations.
  4. Select a server certificate. FortiOS uses Fortinet_Factory by default. This certificate should match the SP certificate used in the SAML configurations.

    Self-signed certificates are provided by default to simplify initial installation and testing. Acquiring a signed certificate for your installation is HIGHLY recommended.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Procure and import a signed SSL certificate.

  5. Under Authentication/Portal Mapping, click Create New.
  6. Set Users/Groups to the user group that you defined earlier. In this example, it is FortiGateAccess.
  7. Set Portal to the desired SSL VPN portal.
  8. Click OK.
  9. Click Apply.
To configure a firewall policy:
  1. Go to Policy & Objects > Firewall Policy. Click Create new to ccreate a new SSL VPN firewall policy.
  2. Select the incoming and outgoing interfaces. The outgoing interface is the SSL VPN tunnel interface (ssl.root).
  3. For Source, select the SSL VPN tunnel address group and FortiGateAccess user group.
  4. Configure other settings as desired.
  5. Click OK.
To connect in web mode:
  1. Go to https://<FortiGate IP address>:10443 in a browser.
  2. Click Single Sign-On. The browser redirects to the Azure login portal.
  3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To connect in tunnel mode with FortiClient:
  1. In FortiClient, go to Remote Access.
  2. Add a new connection:
    1. Enter the desired connection name and description.
    2. Set the remote gateway to the FortiGate's fully qualified domain name or IP address.
    3. Enable Customize port, then specify the SSL VPN port.
    4. Select Enable Single Sign On (SSO) for VPN Tunnel.
    5. (Optional) Enable Use external browser as user-agent for saml user authentication if you want users to use their browser session for login.
    6. Click Save.
  3. Click SAML Login. FortiClient redirects the user to the Azure login portal.
  4. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/'

samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

samld_send_common_reply [120]: Attr: 10, 49, 'Username' 'mremini@innovcenter.onmicrosoft.com'

samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '3a0e3f1c-93c6-4be6-bdbe-b5d28a20cfa0'

samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2'

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

This guide provides supplementary instructions on using SAML single sign on (SSO) to authenticate against Microsoft Entra ID (formerly known as Azure Active Directory) with SSL VPN SAML user via tunnel and web modes. You can find the initial Azure configuration in Tutorial: Microsoft Entra SSO integration with FortiGate SSL VPN

Before you begin the FortiOS configuration, ensure that you have collected the following information from Azure to use in the SAML configuration:

FortiGate SAML CLI setting

Equivalent Azure configuration

Service provider (SP) entity ID (entity-id)

Identifier (entity ID)

SP single sign on (SSO) URL (single-sign-on-url)

Reply URL (assertion consumer service URL)

SP single logout URL (single-logout-url)

Logout URL

Identity provider (IdP) entity ID (idp-entity-id)

Azure login URL

IdP SSO URL (idp-single-sign-on-url)

Entra ID identifier

IdP single logout URL (idp-single-logout-url)

Azure logout URL

IdP certificate (idp-cert)

Base64 SAML certificate

Username attribute (user-name)

username

Group name attribute (group-name)

group

To configure SAML SSO:
  1. In FortiOS, download the Azure IdP certificate as Configure Microsoft Entra SSO describes.
  2. Upload the certificate as Upload the Base64 SAML Certificate to the FortiGate appliance describes.
  3. In the FortiOS CLI, configure the SAML user:

    config user saml

    edit "azure"

    set cert "Fortinet_Factory"

    set entity-id "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/metadata”

    set single-sign-on-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/login"

    set single-logout-url "https://<FortiGate IP or FQDN address>:<Custom SSL VPN port>/remote/saml/logout "

    set idp-entity-id "<Entra ID identifier>"

    set idp-single-sign-on-url "<Azure login URL>"

    set idp-single-logout-url "<Azure logout URL>"

    set idp-cert "<Base64 SAML certificate name>"

    set user-name "username”

    set group-name “group”

    next

    end

    In this example, assuming that the FortiGate IP address is 104.40.18.242, the commands are as follows:

    config user saml

    edit "azure"

    set cert "Fortinet_Factory"

    set entity-id "https://104.40.18.242:10443/remote/saml/metadata"

    set single-sign-on-url "https://104.40.18.242:10443/remote/saml/login"

    set single-logout-url "https://104.40.18.242:10443/remote/saml/logout"

    set idp-entity-id "https://sts.windows.net/04e..."

    set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

    set idp-cert "<Base64 SAML certificate name>"

    set user-name "username"

    set group-name "group"

    next

    end

    The user-name and group-name attributes configured on the FortiGate entry should exactly match the username and group attributes that Entra ID returns. You can configure the list of SAML attributes that Entra ID returns under Username Attributes & Claims in the Azure portal.

    FortiGate can optionally map users to specific groups based on the returned SAML user.groups attribute. The example shows group matching based on Entra ID Group ObjectId, using the set group-name command:

    config user group

    edit FortiGateAccess

    set member azure

    config match

    edit 1

    set server-name azure

    set group-name <object ID>

    next

    end

    next

    end

    You can find the full list of group claims in Configure group claims for applications by using Microsoft Entra ID.

    Configure the remote authentication timeout value as needed:

    config system global

    set remoteauthtimeout 60

    end

To configure SSL VPN settings:
  1. Go to VPN > SSL VPN Settings. Enable SSL VPN.
  2. Configure the Listen on Interface(s).
  3. Configure the Listen on Port. This port should be the port used in the SP URLs in the SAML configurations.
  4. Select a server certificate. FortiOS uses Fortinet_Factory by default. This certificate should match the SP certificate used in the SAML configurations.

    Self-signed certificates are provided by default to simplify initial installation and testing. Acquiring a signed certificate for your installation is HIGHLY recommended.

    Continuing to use these certificates can result in your connection being compromised, allowing attackers to steal your information, such as credit card details.

    For more information, review Use a non-factory SSL certificate for the SSL VPN portal and learn how to Procure and import a signed SSL certificate.

  5. Under Authentication/Portal Mapping, click Create New.
  6. Set Users/Groups to the user group that you defined earlier. In this example, it is FortiGateAccess.
  7. Set Portal to the desired SSL VPN portal.
  8. Click OK.
  9. Click Apply.
To configure a firewall policy:
  1. Go to Policy & Objects > Firewall Policy. Click Create new to ccreate a new SSL VPN firewall policy.
  2. Select the incoming and outgoing interfaces. The outgoing interface is the SSL VPN tunnel interface (ssl.root).
  3. For Source, select the SSL VPN tunnel address group and FortiGateAccess user group.
  4. Configure other settings as desired.
  5. Click OK.
To connect in web mode:
  1. Go to https://<FortiGate IP address>:10443 in a browser.
  2. Click Single Sign-On. The browser redirects to the Azure login portal.
  3. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To connect in tunnel mode with FortiClient:
  1. In FortiClient, go to Remote Access.
  2. Add a new connection:
    1. Enter the desired connection name and description.
    2. Set the remote gateway to the FortiGate's fully qualified domain name or IP address.
    3. Enable Customize port, then specify the SSL VPN port.
    4. Select Enable Single Sign On (SSO) for VPN Tunnel.
    5. (Optional) Enable Use external browser as user-agent for saml user authentication if you want users to use their browser session for login.
    6. Click Save.
  3. Click SAML Login. FortiClient redirects the user to the Azure login portal.
  4. Sign in with your Azure account and password. Once logged in, the browser redirects to the SSL VPN portal.
To troubleshoot:

diagnose debug application samld -1

diagnose debug application sslvpn -1

The output should resemble the following:

samld_send_common_reply [123]: Attr: 17, 27, magic=a8111ca2943ecd0c

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'xxxxx-xxxxx-xxxxx-xxxxx-xxxxx'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/'

samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

samld_send_common_reply [120]: Attr: 10, 49, 'Username' 'mremini@innovcenter.onmicrosoft.com'

samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '3a0e3f1c-93c6-4be6-bdbe-b5d28a20cfa0'

samld_send_common_reply [120]: Attr: 10, 51, 'UserGroup' '8fb8c5ee-b253-44cc-a88f-4bd62dfaf2d2'

[924:root:5c]req: /remote/saml/start

[924:root:5c]rmt_web_auth_info_parser_common:470 no session id in auth info

[924:root:5c]rmt_web_get_access_cache:804 invalid cache, ret=4103

[924:root:5c]sslvpn_auth_check_usrgroup:2039 forming user/group list from policy.

[924:root:5c]sslvpn_auth_check_usrgroup:2145 got user (1) group (1:0).

[924:root:5c]sslvpn_validate_user_group_list:1642 validating with SSL VPN authentication rules (0), realm ((null)).

[924:root:5c]sslvpn_validate_user_group_list:1963 got user (1:0), group (1:0) peer group (0).

[924:root:0]total sslvpn policy count: 1

[924:root:5c]req: /remote/saml/login

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/tenantid

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/displayname

[924:root:5c]stmt: http://schemas.microsoft.com/identity/claims/identityprovider

[924:root:5c]stmt: http://schemas.microsoft.com/claims/authnmethodsreferences

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

[924:root:5c]stmt: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[924:root:5c]rmt_web_session_create:781 create web session, idx[0]

[924:root:5c]User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sa$

l_logout_url=no

[924:root:5c]req: /sslvpn/portal.html

[924:root:5c]mza: 0x28587b0 /sslvpn/portal.html

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[924:root:5c]req: /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/req

[924:root:5c]mza: 0x2858620 /dc7a2776ac5e60eb4eeda4c1de45b5cb/js/require_all.js

[924:root:5c]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=1424c6b9,login=1576802935,access=1576802935,sam

l_logout_url=yes

[919:root:0]allocSSLConn:289 sconn 0x7f5962887000 (0:root)

total sslvpn policy count: 1

[925:root:0]total sslvpn policy count: 1

[923:root:7b]req: /remote/logout

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=yes

[923:root:7b]session removed s: 0x7f5962887000 (root)

[923:root:7b]deconstruct_session_id:426 decode session id ok, user=[ssl-azure-saml],group=[sslvpn],authserver=[],portal=[web-access],host=[208.91.115.10],realm=[],idx=0,auth=256,sid=a205b36,login=1576804178,access=1576804178,saml_logout_url=no

[923:root:0]sslvpn_internal_remove_one_web_session:2848 web session (root:ssl-azure-saml:sslvpn:208.91.115.10:0 0) removed for User requested termination of service

[924:root:7a]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[924:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

[924:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[924:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)

[923:root:7c]rmt_check_conn_session:2129 delete connection 0x7f5962888900 w/ web session 0

[923:root:7c]Destroy sconn 0x7f5962888900, connSize=1. (root)

[923:root:7b]rmt_check_conn_session:2129 delete connection 0x7f5962887000 w/ web session 0

[923:root:7b]Destroy sconn 0x7f5962887000, connSize=0. (root)

[925:root:7a]SSL state:warning close notify (208.91.115.10)

[925:root:7a]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7a]Destroy sconn 0x7f5962887000, connSize=1. (root)

dchaofgt # [925:root:7b]SSL state:warning close notify (208.91.115.10)

[925:root:7b]sslConnGotoNextState:305 error (last state: 1, closeOp: 0)

[925:root:7b]Destroy sconn 0x7f5962888900, connSize=0. (root)