Technical Tip: 'authd' Consumes High CPU when 'idp-single-logout-url' is not configured under SAML Configuration

After upgrading to v7.4.3, v7.4.4, or v7.6.0, SSL VPN users utilizing Azure SAML authentication may encounter VPN connection issues due to the 'authd' daemon consuming high CPU.
This issue arises when the idp-single-logout-url is not configured under the SAML settings.

Sample SAML Configuration:

config user saml
    edit "Azure_SSO"
        set entity-id "http://192.168.1.99:1003/remote/saml/metadata/"
        set single-sign-on-url "https://192.168.1.99:1003/remote/saml/login/"
        set single-logout-url "https://192.168.1.99:1003/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/*****************************/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/*******************/saml2"
        set idp-cert "AZURE-IdP-Cert"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next

The problem can be verified by examining the logs as outlined below:

diagnose sys top 3 40
Run Time: 13 days, 0 hours and 5 minutes
50U, 0N, 2S, 46I, 0WA, 0HI, 2SI, 0ST; 3962T, 1754F
authd 18336 R 99.9 0.4 0

Killing the 'authd' daemon (fnsysctl killall authd) temporarily reduces CPU utilization significantly. However, CPU usage spikes again when a user attempts to initiate a SAML VPN connection.

This issue has been resolved in v7.2.11, v7.4.5, v7.6.1

Workaround:
Configure 'idp-single-logout-url' under SAML configuration using the below commands.

config user saml
    edit <name>
        set idp-single-logout-url "<Logout URL>"
end

Logs required by FortiGate TAC for investigation:

1. Debugs:

diagnose debug application authd -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable

Reproduce the issue.

diagnose debug disable
diagnose sys top 2 100 <-- Press control+C to stop.

2. TAC Report:

execute tac report

3. Configuration file of the FortiGate.