Troubleshooting Tip: SAML authentication fails with error 'login page did not respond within time limit'

This article explains a scenario where SAML authentication is configured correctly, but the user receives an error when connecting to the SSL VPN with SAML authentication. A workaround is included.

When the user connects to SSL VPN using SAML authentication, the error message 'login page did not respond within time limit' appears during the first attempt, followed by an 'ERR_EMPTY_RESPONSE' error. However, the user can connect on the second attempt without any errors.

Various reasons:

1. This timeout limit will appear if the user’s password has not been entered within a specified period or when the authentication to the SAML identity provider takes longer than the timeout configured on the FortiGate.  

To prevent the issue from occurring, increase the remote authentication timeout accordingly to the following CLI commands:

config system global  

    set remoteauthtimeout 60     

end

FortiGate default " remoteauthtimeout "value is 5 seconds. Enter an integer value from <1> to <300>

2. The IdP configuration has the incorrect URLs set for the FortiGate SP, resulting in SAML responses getting misdirected. For the LassoServer message, double-check the entity-id and idp-entity-id to confirm if IDP's settings are identical. 

    

To verify the config on both sides, refer to Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP.

3. One of the other possible reasons is that the FortiGate may be encountering connection timeout while waiting for the SAML request and reply, which could be due to network delay, slow IdP response, or issues while fetching data from IdP (two factor, MFA). If the entire authentication process took longer than the remote authentication timeout, the FortiGate will terminate the whole process.