Skip to main content
d0ckt8le
d0ckt8le
New Member
April 7, 2016
Question

FortiAuthenticator 4.1 and SAML

  • April 7, 2016
  • 1 reply
  • 5487 views

Hello,

 

We are very interested in using the SAML portal.

We want to couple it with our Microsoft ADFS infrastructure.

 

Are there more documentation/debug logs?

On our ADFS Forms based authentication was disabled which resulted in the following error in the eventviewer:

 

Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

The FortiAuthenticator defines in the SAML request which auth method it wants:

<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>

 

If you do not have Forms based authentication active on your ADFS you get an error.

We would like to use Windows Integrated Authentication on ADFS so users dont have to enter credentials and it is seemless to them.

Is it possible to remove the RequestedAuthnContext?

 

I know get a webpage to enter my credentials. Authentication succeeds but I get an error on the FortiAuthenticator.

SAML Login portal

Errors:
  • invalid_response[/ul] Not authenticated   Where can I get more debug/log information about this error?   Is there more information available about the 'List of IDP groups' on the SAML configuration page? Which attributes does the FortiAuth expect from the IDP? Is it possible to do the group membership queries by the FortiAuth via LDAP based on the username attribute returned from the IDP?   regards       regards

      • 1 reply

      Carl_Windsor_FTNT
      Staff
      Carl_Windsor_FTNT
      Staff
      April 8, 2016

      You are seeing what we also saw during our testing of ADFS.  There are many different versions and patch levels of ADFS and bewildering array of schemas so obtaining a valid assertion it tricky.

       

      To debug we will require more details about your set up e.g. OS version, ADFS version,  and if possible a copy of the SAML request/response.  Please open a Support ticket and we will look into this.

       

      >Is it possible to remove the RequestedAuthnContext?

      Will replicate and discuss with developers.

       

      d0ckt8le
      d0ckt8leAuthor
      New Member
      April 8, 2016

      Ok will do thx!

      I will reference to this post.

      Terms & ConditionsAccessibility statement