Technical Tip: SAML System administrator fails to login to GUI if 'set post-login-banner enable' is set

When an admin user tries to login to the FortiGate's administrative GUI using SAML authentication, the login fails with an error 'Authentication failure' as seen in the screenshot below.

 
The following debugs can be run on the FortiGate while trying to authenticate on the administrative GUI:

diagnose debug console timestamp enable

diagnose debug application http_authd -1
diagnose debug application samld -1
diagnose debug application eap_proxy -1

diagnose debug enable

To stop the debugging:

   diagnose debug disable

   diagnose debug reset

The error 'Failed to create admin session -1' will be seen in the debugs on the FortiGate:

2026-01-07 14:14:01 [http_authd 3310 - 1767816841 info] http_authd_saml_sp_acs_handler[1100] -- SSO
admin successfully logged in.
2026-01-07 14:14:01 [http_authd 3310 - 1767816841 info] http_authd_request_handler[630] -- Successfu
lly handled "SAML SP" request.
2026-01-07 14:14:01 [http_authd 3310 - 1767816841 info] http_authd_request_handler[669] -- ---------
--------------------------------------
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_handler_main_loop[790] -- Receive
d "pre-login stat" request (seq: 42843) from 10.214.134.5 (128 bytes)
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[612] -- =========
======================================
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[630] -- Successfu
lly handled "pre-login stat" request.
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[669] -- ---------
--------------------------------------
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_handler_main_loop[790] -- Receive
d "validate session" request (seq: 42844) from x.x.x.x (187 bytes)
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[612] -- =========
======================================
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 warning] authorize_external_request[1162] -- Login is
still in-progress for external request (GUI login) from x.x.x.x
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_validate_session_handler[1377] --
Request from external authorized.
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[630] -- Successfu
lly handled "validate session" request.
2026-01-07 14:14:02 [http_authd 3310 - 1767816842 info] http_authd_request_handler[669] -- ---------
--------------------------------------
2026-01-07 14:14:04 [http_authd 3310 - 1767816844 info] http_authd_handler_main_loop[790] -- Receive
d "login" request (seq: 42845) from 10.214.134.5 (179 bytes)
2026-01-07 14:14:04 [http_authd 3310 - 1767816844 info] http_authd_request_handler[612] -- =========
======================================
2026-01-07 14:14:04 [http_authd 3310 - 1767816844 info] http_authd_login_handler[2298] -- post-login
banner accepted.
2026-01-07 14:14:04 [http_authd 3310 - 1767816844 info] http_authd_login_set_admin_session[406] -- V
DOM updated to 'root'
2026-01-07 14:14:04 [http_authd 3310 - 1767816844 error] http_authd_login_handler[2391] -- Failed to
create admin session -1

As a workaround, disable 'post-login-banner' in the CLI to allow the administrator to log in.

config system global 

    set post-login-banner disable

end

Note: While the workaround and symptoms are similar to Troubleshooting Tip: Unable to log in to the FortiGate GUI after upgrading to 7.6.4, this is a different problem impacting SAML configurations.

The issue is caused by a FortiOS v7.6 bug where the post-login banner blocks GUI admin session creation after successful SAML authentication. SAML validation completes successfully, but the session fails with Failed to create admin session -1. Disabling the post-login banner allows the GUI login to succeed.

Fortinet is currently tracking this issue as a bug (1237463) with the intention to fix the problem in a future release of FortiOS v7.6 and the upcoming FortiOS v8.0 release.

Note: If administrator login failures persist when SAML and Single Sign-On are configured, verify the FortiOS version in use. Versions 7.2.12, 7.4.9, and 7.6.4 introduce stricter verification of SAML response signatures. Identity provided configurations without a signed response and assertion messages may lead to authentication failures. Refer to the following article for the known conditions. Troubleshooting Tip: SAML Authentication Fails after firmware upgrade to v7.2.13, 7.4.9 or v7.6.4.