Skip to main content
nplljw
nplljw
New Member
December 6, 2024
Solved

When Fortigate integrates with FortiAuthenticator for Sam, FortiClient reports an error SAML Request

  • December 6, 2024
  • 2 replies
  • 2418 views

The detailed information is: You are not allowed to access this resource because the SAML request from your service provider (https://192.168.199.60:10443) has expired. Please try to access your service provider page again.

Best answer by pminarik

This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)

 

Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.

 

Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.

2 replies

sjoshi
Staff
sjoshi
Staff
December 6, 2024

Hi,

 

Can you share the SAML config and on the FAC side also

Thanks, Salon
    nplljw
    nplljwAuthor
    New Member
    December 6, 2024

    FGT:

    config user saml
    edit "fac-firewall"
    set entity-id "http://192.168.199.60:10443/remote/saml/metadata/"
    set single-sign-on-url "https://192.168.199.60:10443/remote/saml/login/"
    set single-logout-url "https://192.168.199.60:10443/remote/saml/logout/"
    set idp-entity-id "http://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/"
    set idp-single-sign-on-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/"
    set idp-single-logout-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/logout/"
    set idp-cert "REMOTE_Cert_2"
    set user-name "username"
    set group-name "group"
    set digest-method sha1
    next
    end

     

    General configuration.pngService Providers configuration.pngService Providers configuration2.png

      pminarik
      Staff
      pminarikAnswer
      Staff
      December 6, 2024

      This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)

       

      Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.

       

      Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.

        nplljw
        nplljwAuthor
        New Member
        December 6, 2024

        Thank you for your answer. It is indeed due to time synchronization, and now there is a new phenomenon. Forticlient connection has been stuck at 40% and there is no window asking if you want to continue using untrusted TLS/SSL certificates

        pminarik
        Staff
        pminarik
        Staff
        December 6, 2024

        I would suggest gathering sslvpn + saml debug outputs (same as you did already), for this new situation. That could clarify where things get stuck.

          Terms & ConditionsAccessibility statement