Technical Tip: How to record a client SAML trace

kiri · ‎06-25-2023

Description

This article describes how to record a client saml trace.
This can come in handy when there is no or little saml activity recorded on the SP/IDP side, but the end user claims authentication is taking place and/or SP/IDP is reached.

Scope

FortiGate, FortiAuthenticator.

Solution

SAML-tracer is one tool that can be used for that. It Can be installed from a well-known browser app store as an add-on/extension. If SAML-tracer is n/a for a certain browser, there should be other similar tools available.

2. Select on the Extension button, usually located on the top right of the browser window, then select SAML-tracer.
Select 'Pause', 'Clear' and close all the opened browser tabs, as it generates unnecessary events that will be recorded in the trace.

3. Get ready for the test, press 'Pause' again to start the trace and access the resource, go thru the authentication process/reproduce the issue.

4. Once that is completed/the issue is reproduced, press 'Pause' again to stop the trace and then 'Export', 'Export' again and 'Save' the json file.

5. Upload this to the case opened with Technical Support.

6. For FortiGate SAML SSL VPN the following debug should also be recorded at the same time:

diag debug cons t e
diag debug app saml -1
diag debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 <CLIENTPUBLICIP>
diag debug app fnbamd -1
diag debug en