Troubleshooting Tip: Troubleshooting SAML Login Page Redirection Failures in FortiSASE with FortiAuthenticator as IdP
Description
This article describes how to troubleshoot and resolve the SAML login page redirection issue in FortiSASE when FortiAuthenticator is acting as IdP.
Scope
FortiSASE.
Solution
Verify that the FortiAuthenticator is configured correctly and that the SAML settings are properly set up: Technical Tip: Optimizing Secure Remote Access - a comprehensive guide to FortiClient VPN SSO integration with FortiSASE
When the endpoint attempts to connect to the VPN, the SAML login page fails to load, and the following error is encountered:
Here, 182.71.197.71 is the FortiAuthenticator IDP IP:
set idp-single-sign-on-url "https://182.71.197.71/saml-idp/sase/login/"
When a FortiClient user initiates a VPN connection to a FortiSASE, the client first connects on the configured auth-ike-saml-port.
FortiSASE then responds with a redirect containing URLs for the IdP, embedding the SAML authentication request. Using this redirect, FortiClient forwards the authentication request to the IdP, which in turn presents the login page to the user.
In this setup, FortiAuthenticator is located behind an upstream FortiGate with the public IP address 182.71.197.71, and port forwarding is correctly configured to direct traffic to FortiAuthenticator. However, communication issues persist between the FortiClient endpoint and FortiAuthenticator.
Reviewing the incoming firewall policy on the upstream FortiGate revealed that only the FortiSASE public IP is permitted for communication with the FortiAuthenticator.
For proper SAML flow, the endpoint’s public IP must also be allowed. Since endpoint public IPs are dynamic, the source address in the firewall policy should be set to ‘all’ or restricted based on the required geographic region.
In this example, one of the user endpoint public IPs was allowed in the firewall policy, post that the SAML login page appeared.
The SAML login page is working post allowing the endpoint's public IP.
