Skip to main content
aahmadzada
Staff
aahmadzada
Staff
November 24, 2021

Troubleshooting Tip: How to troubleshoot SAML authentication

  • November 24, 2021
  • 0 replies
  • 49592 views
Description This article describes how to troubleshoot SAML authentication.
Scope FortiGate.
Solution

A situation may occur in which the SAML for the SSL VPN/Admin access to the GUI is configured correctly according to the Fortinet documentation, but the authentication is still unsuccessful.

 

The proper approach in such a case would be to run the debug for the samld (process responsible for the SAML authentication).

 

  1. Run these debugging commands in FortiGate's command line interface (CLI) or while connected to FortiGate via SSH:
     
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug application authd -1
diagnose debug application httpsd -1 <----- For Admin access.
diagnose debug application http_authd -1 <----- Available since 7.6.x.
diagnose debug application sslvpn -1 <----- For SSL VPN.
diagnose debug application eap_proxy -1
diagnose debug enable

 

Reset debug using the following commands:
 
diagnose debug reset
 
Disable debug using the following commands:
 
diagnose debug disable
 
Note:
Before running the commands below, make sure to download the console output to a file.
 
Follow this article for instructions on how to capture the output in a text file with PuTTY: Technical Tip: How to create a log file of a session using PuTTY.
 
  1. Trigger SAML authentication.
     
  2. Open the console output file in a text editor.
     
  3. If the following string is found in the text file, it means that there is something wrong with the IDP certificate:
 
Failed to process response message. ret=440(The profile cannot verify a signature on the message)

To resolve this scenario:
  1. Remove the IDP cert from the SAML config.
  2. Delete it from the list of certificates.
  3. Download it again from the IDP and import it.
  4. Use that certificate in the SAML config.

 

If the issue was related to the certificate. After applying the above changes, the authentication should now be successful.

Note:

For MFA authentication, verify the remote authentication timeout value. The default remote authentication timeout value is 5 seconds. To increase the timeout value for MFA, use the following commands:

 

config system global

    set remoteauthtimeout 60

end


Read more details about remoteauthtimeout in Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they work together.

To collect the SAML logs from the user's browser, use SAML extensions:

Note:

  • Each FortiGate requires a unique Assertion Consumer Service (ACS) URL (for example, https://<local-ip>:1003/remote/saml/login), which must match the registered URL in Azure AD. Since each FortiGate has a different IP, using a single SAML instance for multiple FortiGates would fail to meet this strict URL binding requirement, leading to authentication failures.
  • After upgrading FortiGate to v7.2.12, v7.4.9, or v7.6.4, the Azure IDP configuration must be updated to 'Sign SAML response and assertion, see Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.
    Terms & ConditionsAccessibility statement