Description
This article describes how to troubleshoot SAML SSO logon errors with FortiManager/FortiAnalyzer in SP role.
Scope
FortiManager and FortiAnalyzer.
Solution
After the user is authenticated by the IdP FortiManager/FortiAnalyzer GUI can return different errors if something in the assertion is incorrect or unexpected.
Those errors are typically displayed as a pink banner at the top of a blank page and the message gives a fairly clear description of the problem (with one exception).
Below are some of the common errors and their possible causes.
Web Server Error 500 (no pink banner in this case):
Possible causes:
- If the error is triggered immediately after selecting the 'Login with Single Sign-On' button, it is likely caused by invalid URL/s in the FortiManager/FortiAnalyzer SAML SSO configuration. For example:
- A hostname is used instead of FQDN in the SP Address(Server Address) field causing invalid SP URLs to be auto-generated.
- Leading or trailing spaces are copied by mistake with the IdP URLs or the fabric prefix.
- Other non-permitted characters in the domain names or the IdP URLs.
- If the browser is redirected correctly to the IdP login page and the error occurs after a successful login, then the cause is likely something misconfigured on the IdP side. For example:
- Missing <Name ID> claim in the IdP assertion.
- An unsupported attribute name/value/format in the <Attribute Statement> of the IdP.
Where possible, try to remove all unnecessary default claims/attributes from the IdP response.
In versions 6 and up to 7.0, only the 'username' attribute is parsed.
After v7.2.1, also 'profilename' and 'adoms' are accepted for ADOM and Admin Profile Override: Technical Tip: SAML Attributes for ADOM and Admin Profile Override with Wildcard SSO Administrators.
invalid_response: There is no AttributeStatement on the Response.
Possible causes:
<AttributeStatement> is completely missing from the IdP response.
Happens usually if the IdP has no default attributes (i.e. ADFS) or all attributes were removed by mistake.
The SAML Response is missing the assertion attribute 'username'.
Possible Causes:
'username' attribute is not configured in the custom claims/attributes on the IdP side.
This attribute is mandatory for the FortiManager/FortiAnalyzer SAML implementation.
The value of 'username' should also match the value of 'Name ID'.
Admin 'xxxxx' does not exist.
Possible Causes:
'Auto Create Admin' is disabled in the FortiManager/FortiAnalyzer SAML SSO configuration, or the <username> value in the <Attribute Statement> does not match a local user.
Failed to create SSO admin.
Possible Causes:
'Auto Create Admin' is enabled in the FortiManager/FortiAnalyzer SAML SSO configuration, but the <username> value in the <Attribute Statement> contains unsupported characters. For example, an external Azure AD account containing a '#' sign.
invalid_response: Invalid issuer in the Assertion/Response (expected aaa, got bbb).
Possible Causes:
Misconfigured 'IdP Entity ID' URL in the FortiManager/FortiAnalyzer configuration.
SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding.
Possible Causes:
Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration or misconfigured logout endpoint binding on the IdP side relying party (application) settings.
invalid_logout_request_signature, Signature validation failed. Logout Request rejected: Signature validation failed. SAMLRequest rejected.
Possible Causes:
Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration, maybe pointing to an IdP endpoint requiring signed logout requests.
invalid_response: Signature validation failed. SAML Response rejected.
Possible Causes:
The IdP response signature is not matching the IdP certificate selected in FortiManager/FortiAnalyzer. Usually caused by an incorrect certificate imported/selected in the SAML SSO config.
invalid_response: No Signature found. SAML Response rejected.
Possible Causes:
<SignatureValue> missing from the IdP /response. IdP side misconfiguration prevents it from signing the response.
There may be other errors not covered by this article.
The assertion might need to be analyzed to verify the errors and/or troubleshoot further.
The easiest way to capture the SAML request/response is by using an extension/plugin, installed in the user's browser.
Below are two simple-to-use Chrome extensions that add a SAML tab to the Chrome Dev Tools (F12).
- 'SAML Tracer' shows opens in a separate window which allows the tracking of both SP and IdP initiated sessions.
By default, it prints all HTTP messages, but can be manually switched to show SAML only:
SAML Tracer - Chrome Webstore
- 'SAML Chrome Panel' has the SAML filters enabled by default, which makes it more convenient in some cases. It also allows exporting the data as a JSON file, which can then be imported and analyzed on another computer having a Chrome-based browser with the same extension: SAML Chrome panel - Chrome Webstore
There are many similar tools for other browsers as well. Regardless of which one is used, the important part is to see if FortiManager/FortiAnalyzer is sending the correct SP AuthnRequest and to verify if the IdP Response/Assertion contains the correct URLs, signatures, and attributes.
When creating Technical Support tickets for SAML issues with FortiManager/FortiAnalyzer, make sure to provide the following:
- Clear issue description, including the error message and/or a screenshot of the issue.
- Output from the FortiManager/FortiAnalyzer CLI command.
get system saml
- Copy of the SP Request and the IdP Response/Assertion from the browser extension.
Related article:
Troubleshooting Tip: How to fix "Missing RelayState" error after SAML authentication..
