Troubleshooting Tip: SAML IdP authentication fails with '403 forbidden' error

GUI debug logs from FortiAuthenticator show the following error:

2025-05-17T22:51:26.000917+05:30 FortiAuthenticator gui[1859] error fac.home.www-data.FastAPI.apps.saml.views.samlidp __init__ 140208609381248 SP Test assertion request error: 'NoneType' object has no attribute 'split'
Traceback (most recent call last):
File "./FastAPI/apps/saml/views/samlidp.py", line 161, in saml_response
File "./FastAPI/apps/saml/views/samlidp.py", line 2130, in __init__
AttributeError: 'NoneType' object has no attribute 'split'
2025-05-17T22:51:34.451967+05:30 FortiAuthenticator gui[1860] debug fac.home.www-data.FastAPI.apps.saml.views.samlidp __init__ 140208609381248 Change SAML IdP login request from POST to GET
2025-05-17T22:51:34.452102+05:30 FortiAuthenticator gui[1860] debug fac.home.www-data.FastAPI.apps.saml.views.samlidp __init__ 140208609381248 SamlIdpLoginView.dispatch: GET client_ip x.x.x.x sp_prefix qizimabj7dk2xriv sessionid th7jve4xaomwa12ilwq0tu8bpviywz1g iam False ({})

In the FortiAuthenticator, select Authentication -> SAML IdP -> Service Providers and check if the SP SLS (logout) URL is empty.

 
This is a known issue in version 6.6.1 where SAML authentication fails with 403 Forbidden error when SP SLS (logout) URL is empty and the issue is fixed in 6.6.2.

Workaround:

As a workaround, manually enter an SLS (logout) URL in the affected Service Provider entry, save it, and remove the SLS (logout) URL again. Try logging in and the user should be able to login successfully.