Description
This article describes how to troubleshoot SAML SSO logon errors with FortiManager/FortiAnalyzer in SP role.
Scope
FortiManager and FortiAnalyzer.
Solution
After the user is authenticated by the IdP FortiManager/FortiAnalyzer GUI can return different errors if something in the assertion is incorrect or unexpected.
Those errors are typically displayed as a pink banner at the top of a blank page and the message gives a fairly clear description of the problem (with one exception).
Below are some of the common errors and their possible causes.
Web Server Error 500 (no pink banner in this case):
Possible causes:
invalid_response: There is no AttributeStatement on the Response.
Possible causes:
<AttributeStatement> is completely missing from the IdP response.
Happens usually if the IdP has no default attributes (i.e. ADFS) or all attributes were removed by mistake.
The SAML Response is missing the assertion attribute 'username'.
Possible Causes:
'username' attribute is not configured in the custom claims/attributes on IdP side.
This attribute is mandatory for the FortiManager/FortiAnalyzer SAML implementation.
The value of 'username' should also match the value of 'Name ID'.
Admin 'xxxxx' does not exist.
Possible Causes:
'Auto Create Admin' is disabled in the FortiManager/FortiAnalyzer SAML SSO configuration and the <username> value in the <Attribute Statement> is not matching a local user.
Failed to create SSO admin.
Possible Causes:
'Auto Create Admin' is enabled in the FortiManager/FortiAnalyzer SAML SSO configuration, but the <username> value in the <Attribute Statement> contains unsupported characters. For example, external Azure AD account containing a '#' sign.
invalid_response: Invalid issuer in the Assertion/Response (expected aaa, got bbb).
Possible Causes:
Misconfigured 'IdP Entity ID' URL in the FortiManager/FortiAnalyzer configuration.
SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding.
Possible Causes:
Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration or misconfigured logout endpoint binding on IdP side relying party (application) settings.
invalid_logout_request_signature, Signature validation failed. Logout Request rejected: Signature validation failed. SAMLRequest rejected.
Possible Causes:
Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration, maybe pointing to an IdP endpoint requiring signed logout requests.
invalid_response: Signature validation failed. SAML Response rejected.
Possible Causes:
The IdP response signature is not matching the IdP certificate selected in FortiManager/FortiAnalyzer. Usually caused by an incorrect certificate imported/selected in the SAML SSO config.
invalid_response: No Signature found. SAML Response rejected.
Possible Causes:
<SignatureValue> missing from the IdP /response. IdP side misconfiguration prevents it from signing the response.
There may be other errors not covered by this article.
The assertion might need to be analyzed in order to verify the errors and/or troubleshoot further.
The easiest way to capture the SAML request/response is by using an extension/plugin, installed in the user's browser.
Below are two simple to use Chrome extensions, which add a SAML tab to the Chrome Dev Tools (F12).
There are many similar tools for other browsers as well. Regardless of which one is used, the important part is to see if FortiManager/FortiAnalyzer is sending the correct SP AuthnRequest and to verify if the IdP Response/Assertion contains the correct URLs, signatures and attributes.
When creating Technical Support tickets for SAML issues with FortiManager/FortiAnalyzer, make sure to provide the following:
get system saml
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.