Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
cravikumar
Staff
Staff

Created on ‎01-17-2024 10:01 AM Edited on ‎11-28-2025 02:03 AM By Community Manager

Article Id 294710

Troubleshooting Tip: SSL VPN SAML login error when embedded browser is used : 'You don’t have permission to access /remote/saml/start on this server'

Description

This article describes how to resolve an error that occurs when attempting to log in with SAML SSL VPN using embedded browser. The browser shows the following error message:

 

Forbidden.png

 
Scope FortiClient, FortiGate.
Solution

The following workaround can be applied:

 

  1. Clear the cookies and enable the 'Use external browser as user-agent for SAML user authentication' option on the FortiClient:

 

Clear_cookies.jpg

 

External_browser.jpg

 

SAML authentication relies on session cookies to track login state. Normally, users can log in without clearing cookies, but if cookies become stale, corrupted, or contain leftover data from previous sessions, the SAML login may fail, producing the 'You don’t have permission' error. Clearing cookies forces a fresh SAML session and typically resolves the issue.


If clearing cookies does not resolve the issue, check the firewall policy for the 'ssl.root' interface to ensure that the SSO group is correctly added. If the SSO group is not added correctly to the firewall policy, it will show a similar error on connection.

 

If the issue persists, run the following debug:

 

diagnose debug reset
diagnose debug console timestamp en
diagnose debug application samld -1
diagnose debug enable
 
If you see following error: 954f-8326f1b10e00"><AuthnContext><AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
__samld_sp_login_resp [842]: Failed to process response message.
ret=-111(Failed to verify signature.)
 
Note:
The issue is not present in v7.2.8 and v7.4.3, but persists in v7.4.8.

Related article:
 
  1. Should the problem continue, or if it does not relate to the aforementioned point, then:
Disable sslvpn-web-mode under global settings. 

 

config sys global

    set sslvpn-web-mode enable

end

 

Note that this configuration must be disabled in the global settings. Disabling it only within the SSL VPN portal settings will not resolve the issue.

 

17738
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.