Skip to main content
Ted
Staff
Ted
Staff
February 27, 2025

Technical Tip: SSO administrator username limitation with Okta

  • February 27, 2025
  • 0 replies
  • 244 views
Description

This article describes username limitations about SAML SSO login for FortiProxy administrator with Okta acting as SAML IDP.
A user may encounter 'Error in SP ACS handler. Failed to create SSO admin' message when you try to log in through the IdP login page.

 

fpx_okta.PNG

 

+samld & httpsd debug:

 

To enable debugging:

 

diagnose debug console timestamp enable

diagnose debug application samld -1  

diagnose debug application httpsd -1

diagnose debug enable


samld_send_common_reply [99]: Attr: 18, 33, 2025-02-17T02:59:00.589Z
samld_send_common_reply [95]: Attr: 10, 35, 'username' 'tkim@fortinet.com' <==========
samld_send_common_reply [99]: Attr: 11, 483, https://10.0.120.179/?SAMLRequest=..skip..
2025-02-16 18:54:00 [httpsd 2093 - 1739760840 error] saml_sp_acs_handler[823] -- Error in SP ACS handler. Failed to create SSO admin.
2025-02-16 18:54:00 [httpsd 2093 - 1739760840 info] fweb_debug_final[319] -- Completed POST request for "/saml/" (HTTP 200 OK)
samld_send_common_reply [119]: Sent resp: 12128, pid=2093, job_id=0.

 

To disable debug:

diagnose debug disable

diagnose debug reset
Scope FortiProxy.
Solution

FortiProxy does not allow SSO admin usernames to contain '@' nor '.'. 

The Admin username field needs to follow these rules as below:

  • Use only these characters: a-z, A-Z, 0-9, _, -
  • Cannot begin with -
  • Can end with a $
    Terms & ConditionsAccessibility statement