Skip to main content
KubaG
KubaG
Explorer
March 20, 2026
Question

IPSec IKEv2 via FortiAuthenticator SAML dialup VPN

  • March 20, 2026
  • 4 replies
  • 902 views

Hello guys,

 

I am currently facing an issue with user authentication when connecting to dialup IPSec IKEv2 VPN using SAML authentication through FortiAuthenticator.

Ending with this error:

2026-03-20_14h40_49.png

Generated some random hash or something instead of user name and reason is SAML auth resp is not detected. 

Here is part my configuration:

config system global
     set auth-ike-saml-port 1001

     set remoteauthtimeout 120

 

config user saml
    edit "saml_FAC"
    set cert "*.secret-2026"
    set entity-id "http://vpn.secret.cz:1001/remote/saml/metadata/"
    set single-sign-on-url "https://vpn.secret.cz:1001/remote/saml/login/"
    set single-logout-url "https://vpn.secret.cz:1001/remote/saml/logout/"
    set idp-entity-id "http://fac.secret.cz:4433/saml-idp/ipsecvpn/metadata/"
    set idp-single-sign-on-url "https://fac.secret.cz:4433/saml-idp/ipsecvpn/login/"
    set idp-single-logout-url "https://fac.secret.cz:4433/saml-idp/ipsecvpn/logout/"
    set idp-cert "FAC-IDP"
    set user-name "users"
    set group-name "groupname"
    set digest-method sha1
next
end


config system interface
    edit "wan2"
    set vdom "root"
    set ip 10.xx.xx.230 255.255.255.224
    set allowaccess ping
    set vlanforward enable
    set type physical
    set alias "wan2"
    set ike-saml-server "saml_FAC"
    set role wan
    set snmp-index 3
next
end

 

config vpn ipsec phase1-interface
    edit "FortiClient_VPN"
    set type dynamic
    set interface "wan2"
    set ike-version 2
    set local-gw 10.xx.xx.230
    set peertype any
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 192.xx.xx.209
    set proposal aes128-sha256 aes256-sha256
    set dhgrp 20 21
    set eap enable
    set eap-identity send-request
    set network-overlay enable
    set network-id 1
    set transport auto
    set ipv4-start-ip 10.212.180.5
    set ipv4-end-ip 10.212.180.60
    set psksecret ENC xxx
    set negotiate-timeout 120
next

FortiAuthenticator Idp provider:

2026-03-20_14h32_01.png

 

 And some logs of user authentication via FortiAuthenticator.

2026-03-20_14h28_11.png


 

From my perspective, it seems that authentication through FortiAuthenticator completes successfully, but for some reason the response is not properly delivered to the FortiGate. Unfortunately, I haven’t been able to determine why this is happening.

Has anyone experienced a similar issue and found a way to resolve it?

Thank you very much for any advice.



4 replies

funkylicious
SuperUser
funkylicious
SuperUser
March 20, 2026

hi,

according to the documentation under Assertion Attributes for users/groupname the User Attribute should be Username and Group.

then try like that.

 

source: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-IPsec-dial-up-IKEv2-SAML-based/ta-p/361025 

funkylicious_0-1774016026017.png

 

 

L.E. also consider setting a higher timeout on the FGT

 

config system global
    set remoteauthtimeout 120
end

"jack of all trades, master of none"
KubaG
KubaGAuthor
Explorer
March 20, 2026

Hi,

thank you for your suggestions.

 

I have already tested the configuration with Username and Group as Assertion Attributes, but unfortunately it did not resolve the issue. In my understanding, the exact attribute names should not be critical as long as they are consistent between the IdP (FortiAuthenticator) and the SP (FortiGate).

 

Also, the set remoteauthtimeout 120 configuration is already applied on the FortiGate. I apologize for not mentioning this in my original post.

funkylicious
SuperUser
funkylicious
SuperUser
March 20, 2026

try tshooting on the FGT for more info with the commands below. after executing them try a connection and maybe post some sanitized logs. you can stop by doing diag debug disable

 

diag debug reset
diag debug application ike -1
diag debug application samld -1
diag debug application fnbamd -1
diag debug application eap_proxy -1
diag debug console timestamp enable
diag debug enable

"jack of all trades, master of none"
gstefou
gstefou
Explorer
March 23, 2026

Kuba, 

 

Have you updated your FortiGate firmware recently to v7.2.12, v7.4.9 or v7.6.4? 

There's has been a change in the default behavior of the SAML Assertion responce-request from the FortiGate side. 

Take a look at this -> https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

 

In addition, it would be helpful to share some screenshots of the client's VPN login page when attempting to login.  

KubaG
KubaGAuthor
Explorer
March 24, 2026

Unfortunately this FortiGate is currently running  firmware 7.6.2 - I know it is not ideal version, but before proceeding with any firmware upgrade, we first need to get the IPSec VPN (IKEv2 + SAML) fully operational and properly tested, as this is required to maintain service continuity for the customer.

There are some screenshot from attempts of login, before this two screens are just three for user login, password and FortiToken.

Snímek obrazovky 2026-03-24 132006.png

Snímek obrazovky 2026-03-24 132040.png

  




funkylicious
SuperUser
funkylicious
SuperUser
March 24, 2026

try what @gstefou suggested with the kb from above to set under the user saml settings on FGT, but you would need to be at either 7.6.5 or 7.4.10 at least.

"jack of all trades, master of none"
sisrayilov
Staff
sisrayilov
March 23, 2026

Hello Kuba,
Several causes may trigger that failure. The best approach would be checking the SAML/FNBAMD/IKE debug logs requested previously which can hep to clarify the case. Please attach the log output to the ticket to go further.

yderek
Staff
yderek
Staff
March 23, 2026

Have you got right group in firewall policy for the authentication as seem like the authgroup is not under phase1 setting , if correct group added to firewall policy 

worth to run the saml debug to check first and follow what @gstefou has been given , the KB 

previously 

debug command will be 

 

#dia de reset 

#dia de dis 

#dia de app samld -1

#dia de en 

authenticate the user and stop the debug using below 

#dia de dis 

#dia de reset

 upload ouput to here 

KubaG
KubaGAuthor
Explorer
March 24, 2026

Diagnostic of SAML are ending with these few rows:

 

__samld_sp_login_resp [830]: Failed to process response message. ret=-201(The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().)
samld_send_common_reply [91]: Code: 1, id: 698456, pid: 317, len: 239, data_len 223
samld_send_common_reply [99]: Attr: 22, 12, 7
samld_send_common_reply [99]: Attr: 23, 211, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
samld_send_common_reply [119]: Sent resp: 239, pid=317, job_id=698456.

 

I believe the issue is in these last lines, but I’m unable to determine exactly what the problem is.

 
 
 
funkylicious
SuperUser
funkylicious
SuperUser
March 24, 2026

i followed step by step all that was pointed out in the config guide link from a previous comment of mine and worked w/o any issues on FGT 7.4.9, FAC 6.6.9 and FCT 7.4.3

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement