Skip to main content
arahman
Staff
arahman
Staff
December 19, 2024

Troubleshooting Tip: '400 Bad Request' error when trying to connect to SAML SSO Login

  • December 19, 2024
  • 0 replies
  • 8247 views
Description This article describes the possible reasons for an SSL VPN connection with SAML authentication when the error 'Bad Request' appears with Azure or DUO, or any other Identity Provider (IDP).
Scope FortiGate.
Solution

When trying to connect to the SSL VPN with SAML authentication, the error 'Bad request' appears using FortiClient.

 

Kb 8.3.png

 

Or, when trying to connect with the option 'use external browser as user agent for saml login' checked in the FortiClient, the following appears:

 

Kb 8.1.png

 

This issue can happen if the SAML is not configured properly the FortiGate. This can be verified by checking the debugs on a FortiGate CLI session.

 

diagnose debug application sslvpn -1

diagnose debug application samld -1

diagnose debug console timestamp enable

diagnose debug enable            <----- Starts the debugging.

 

diagnose debug reset 

diagnose debug disable           <----- Stops the debugging.

 

Scenario 1:
The debugs show that the SAML is not redirecting and it stops immediately as it starts. This issue often happens if the SAML is not specified as a member in the user group under 'config user group'.

 

 Kb 8.5.png


Scenario 2: 
Based on the debug logs below, it appears that the SAML authentication process is not redirecting and terminates immediately upon initiation. This issue is commonly caused by the SSL VPN firewall policy not including the appropriate SAML user group.

Based on the debug logs below, it appears that the SAML authentication process is not redirecting and terminates immediately upon initiation. This issue is commonly caused by the SSL VPN firewall policy not including the appropriate SAML user group.


[3807:root:19]req: /remote/saml/start
[3807:root:19]rmt_web_auth_info_parser_common:534 no session id in auth info
[3807:root:19]rmt_web_get_access_cache:886 invalid cache, ret=5003
[3807:root:19]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
[3807:root:19]sslConnGotoNextState:324 error (last state: 1, closeOp: 0)
[3807:root:19]Destroy sconn 0x7fa5de0000, connSize=0. (root)
[3807:root:19]SSL state:warning close notify (77.246.21.30)

First, make sure the 'config user saml' is properly configured without any typos or spaces in the URLs.

 

config user saml

    edit "SAML"

        set cert " Fortinet_Factory"

        set entity-id "https://<IP-or-FQDN:443>/remote/saml/metadata/"

        set single-sign-on-url "https://<IP-or-FQDN:443>/remote/saml/login/"

        set single-logout-url "https://<IP-or-FQDN:443>/remote/saml/logout/"

        set idp-entity-id "<DUO-Entity-ID-URL >"

        set idp-single-sign-on-url "<DUO-Single-Sign-On-URL>"

        set idp-single-logout-url "<DUO-Single-Log-Out-URL>"

        set idp-cert "REMOTE_Cert_1"

        set user-name "Username"

        set group-name "Group"

        set digest-method sha1

    next

end

 

After, the 'config user group' should specify this SAML as shown below:

 

Kb 8.6.PNG

 

Or from the CLI:

 

config user group   

    edit "SAML_grp"       

        set member "SAML"   

        next

    end

 

Also, make sure this user group is specified in the policy.

 

Kb 8.7.PNG

 

This error can also occur if the IdP certificate is incorrect. Ensure that the correct certificate is uploaded and selected in the SSO connection settings.

 

Additionally, ensure that web mode is enabled globally and on the portal.

 

config system global

    set sslvpn-web-mode enable

end

 

config vpn ssl web portal

    edit "portal-name"

        set web-mode enable

 next

end

 

Related articles:
Terms & ConditionsAccessibility statement