Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kiri
Staff
Staff

Created on ‎06-25-2023 10:24 PM Edited on ‎03-19-2025 10:43 AM By Moderator

Article Id 261598

Technical Tip: How to record a client SAML trace

Description This article describes how to record a client SAML trace.
This can come in handy when there is no or little saml activity recorded on the SP/IDP side, but the end user claims authentication is taking place and/or SP/IDP is reached.
Scope FortiGate, FortiAuthenticator.
Solution
  1. If SAML-tracer is n/a for a certain browser, there should be other similar tools available. The browser development tools (press F12 on the keyboard, or Ctrl + Shift + I) show similar information, but not as readable as the saml-tracer.

 

1.JPG

 

  1. Select the Extension button, usually located on the top right of the browser window, then select SAML-tracer.
    Select 'Pause', and 'Clear' and close all the opened browser tabs, as it generates unnecessary events that will be recorded in the trace.

     

    2.jpg

     

     

  2. Get ready for the test, press 'Pause' again to start the trace and access the resource, go through the authentication process/reproduce the issue.

                                

    3.JPG

                                 

  3. Once that is completed/the issue is reproduced, press 'Pause' again to stop the trace and then 'Export', 'Export' again, and 'Save' the JSON file.

                               

    4.jpg

                              

  4. Upload this to the case opened with Technical Support.

     

  5. For FortiGate SAML SSL VPN the following debug should also be recorded at the same time:

     

     

diag debug reset

diag debug console timestamp enable
diag debug application samld -1
diag debug application sslvpn -1
diag vpn ssl debug-filter src-addr4 <ClientsPublicIPAddress>
diag debug application fnbamd -1
diag debug enable

 

2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/tenantid 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/objectidentifier 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/displayname 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/identity/claims/identityprovider 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/claims/authnmethodsreferences 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.microsoft.com/claims/authnmethodsreferences 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress 
2023-10-02 10:54:34 [2061:root:418da]stmt:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name 
2023-10-02 10:54:34 [2061:root:418da]stmt: group
2023-10-02 10:54:34 [2061:root:418da]fsv_saml_login_response:516 Got group username: 12cafe34-beef-cafe-4567-123456781590.
2023-10-02 10:54:34 [2061:root:418da]stmt: group
2023-10-02 10:54:34 [2061:root:418da]stmt: username
2023-10-02 10:54:34 [2061:root:418da]fsv_saml_login_response:498 Got saml username: 123456789@abc685gmail.onmicrosoft.com.

 

Note: To disable the debug after the output has been collected, use the below CLI commands:

 

diag debug disable 

diag debug reset

 
2390
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.