Technical Tip: SAML login fail with invalid response

Description

This article describes how to troubleshoot SAML login fail with invalid response.   

Solution

1) FortiManager/FortiAnalyzer GUI may return the following error after SAML user authentication.

invalid_response: Could not validate timestamp: not yet valid. Check system clock.

2) Verify the ntp status.

FMG01 # diagnose system ntp status

MS Name/IP address         Stratum Poll Reach LastRx Last sample

===================================================================

^* 208.91.112.63                 2        10   377   412    -50us[  +61us] +/-  101ms

3) If no NTP server information, verify the NTP server and DNS server connectivity.

FMG01 # diag system ntp status
No information for NTP server

4) Verify the system time.

FMG01 # execute time

current time is: 10:14:11

FMG01 # execute date

current date is: 05/16/2022

5) Manually modify the date / time if require.

FMG01 # execute time 11:14:11

FMG01 # execute date 05/17/2022

6) If issue persists, gather a SAML trace and contact Fortinet TAC.

Related link:

Techinical Tip: SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options