| Solution |
- If SAML-tracer is n/a for a certain browser, there should be other similar tools available. The browser development tools (press F12 on the keyboard, or Ctrl + Shift + I) show similar information, but not as readable as the saml-tracer.
-
Select the Extension button, usually located on the top right of the browser window, then select SAML-tracer.
Select 'Pause', 'Clear', and close all the opened browser tabs, as it generates unnecessary events that will be recorded in the trace.
-
Get ready for the test, press 'Pause' again to start the trace and access the resource, go through the authentication process/reproduce the issue.
-
Once that is completed/the issue is reproduced, press 'Pause' again to stop the trace and then 'Export', 'Export' again, and 'Save' the JSON file.
-
Upload this to the case opened with Technical Support.
-
For FortiGate SAML SSL VPN, the following debug should also be recorded at the same time:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug application sslvpn -1
diagnose vpn ssl debug-filter src-addr4 <ClientsPublicIPAddress>
diagnose debug application fnbamd -1
diagnose debug enable
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/tenantid
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/objectidentifier
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/displayname
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/identityprovider
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/claims/authnmethodsreferences
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/claims/authnmethodsreferences
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
2023-10-02 10:54:34 [2061:root:418da]stmt: group
2023-10-02 10:54:34 [2061:root:418da]fsv_saml_login_response:516 Got group username: 12cafe34-beef-cafe-4567-123456781590.
2023-10-02 10:54:34 [2061:root:418da]stmt: group
2023-10-02 10:54:34 [2061:root:418da]stmt: username
2023-10-02 10:54:34 [2061:root:418da]fsv_saml_login_response:498 Got saml username: 123456789@abc685gmail.onmicrosoft.com.
To disable the debug after the output has been collected, use the following CLI commands:
diagnose debug disable
diagnose debug reset
Note: For log collection on FortiWeb for tracking SAML communication, such as for authenticating on FortiWeb UI using FortiCloud SSO login, use the following CLI commands for debug log collection alongside the browser SAML tracing:
diagnose debug application samld 7
diagnose debug enable
After log collection, use the commands below to stop collecting the debug logs:
diagnose debug reset
|
