Troubleshooting Tip: SSL VPN SAML login error when embedded browser is used : 'You don’t have permission to access /remote/saml/start on this server'

cravikumar · ‎01-17-2024

Description

This article describes how to resolve an error that occurs when attempting to log in with SAML SSL VPN using an embedded browser. The browser shows the following error message:

Scope

FortiClient, FortiGate.

Solution

The error ''You don’t have permission to access /remote/saml/start on this server'' may be seen when attempting to log in with SAML SSL VPN using an embedded browser. The steps below may help resolve the issue.

Clear the cookies and enable the 'Use external browser as user-agent for SAML user authentication' option on the FortiClient:

SAML authentication relies on session cookies to track login state. Normally, users can log in without clearing cookies, but if cookies become stale, corrupted, or contain leftover data from previous sessions, the SAML login may fail, producing the 'You don’t have permission' error. Clearing cookies forces a fresh SAML session and typically resolves the issue.

If clearing cookies does not resolve the issue, check the firewall policy for the 'ssl.root' interface to ensure that the SSO group is correctly added. If the SSO group is not added correctly to the firewall policy, it will show a similar error on connection.

If the issue persists, run the following debug:

diagnose debug reset

diagnose debug console timestamp en

diagnose debug application samld -1

diagnose debug enable

If you see following error: 954f-8326f1b10e00"><AuthnContext><AuthnContextClassRef>

urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
__samld_sp_login_resp [842]: Failed to process response message.

ret=-111(Failed to verify signature.)

Note:

The issue is not present in v7.2.8 and v7.4.3, but persists in v7.4.8.

Related article:

Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug

Should the problem continue, or if it does not relate to the aforementioned point, then:

Disable sslvpn-web-mode under global settings.

config sys global

set sslvpn-web-mode disable

end

Note that this configuration must be disabled in the global settings. Disabling it only within the SSL VPN portal settings will not resolve the issue.

Starting from FortiGate versions 7.2.12, 7.4.9, and 7.6.4, the device verifies the signature of SAML response messages. This enhancement is detailed in the SAML certificate verification section of the Release Notes: SAML certificate verification.

This enhancement also applies to FIPS-CC CVE-Patched builds for FortiOS v7.2 (for example, builds beginning with FIPS-CC-72-5 and later).

After upgrading, SAML authentication may fail when FortiGate is configured as the Service Provider, such as in IPsec/SSL VPN, administrator SSO login, or SAML captive portal scenarios.

The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:

__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)
samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49
samld_send_common_reply [101]: Attr: 22, 12, e
samld_send_common_reply [101]: Attr: 23, 37, Signature element not found.
samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.

To comply with the updated verification requirement, both the SAML assertion and the SAML response must be signed.

For detailed troubleshooting steps and configuration guidance, refer to the following article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9, or v7.6.4.

Troubleshooting Tip: SSL VPN SAML login error when embedded browser is used : 'You don’t have permission to access /remote/saml/start on this server'

You are leaving our website