Technical Tip: SAML Authentication Fails on Windows FortiClient Machines when SSL VPN Webmode is Disabled Globally

SAML SSL VPN users may experience connection issues using FortiClient on Windows OS when SSL VPN web mode is disabled globally. However, when web mode is enabled, users can connect to the VPN without any problems.

The problem can be verified by examining the logs as outlined below. User Agent is shown as 'null'.

[3958:customer1:eb7]req: /remote/saml/start
[3958:customer1:eb7]rmt_web_auth_info_parser_common:533 no session id in auth info
[3958:customer1:eb7]rmt_web_get_access_cache:885 invalid cache, ret=4103
[3958:customer1:eb7]User Agent: (null) <--
[3958:customer1:eb7]Transfer-Encoding n/a
[3958:customer1:eb7]Content-Length n/a
[3958:customer1:eb7]SSL state:fatal decode error (192.168.253.2)
[3958:customer1:0]ap_read,105, error=1, errno=0 ssl 0x7f9baa017000 Success. error:0A000126:SSL routines::unexpected eof while reading
[3958:customer1:eb7]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f9baacae000.
[3958:customer1:eb7]Destroy sconn 0x7f9baacae000, connSize=0. (customer1)

This issue has been resolved in v7.4.8 and v7.6.1 (available on the Fortinet Support Portal).

Workaround:
Enable 'sslvpn-web-mode' globally using the below commands.

config system global
    set sslvpn-web-mode enable
end

Logs required by FortiGate TAC for investigation:

1. Debugs:
   diagnose debug application samld -1
   diagnose debug application sslvpn -1
   diagnose debug console timestamp enable
   diagnose debug enable  <---- Reproduce the issue.

To disable the debugs:

diagnose debug reset
diagnose debug disable

2. TAC Report:

execute tac report

3. Configuration file of the FortiGate.

4. FortiClient Debug logs: Technical Tip: How to enable debug log in FortiClient

Related article:

Troubleshooting Tip: FortiClient SAML authentication when SSL VPN web mode is disabled globally