Description
The article describes how to resolve the error message 'The identifier of a provider is unknown to #LassoServer' in the samld logs in the firewall.
Scope
FortiGate.
Solution
Troubleshooting:
To view the logs for SAML on the firewall, run the following commands:
diagnose debug application samld -1
diagnose debug enable
This will allow viewing of the SAML logs on the firewall.
The following error in the SAML logs may be seen:
The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add
_provider_from_buffer()
This usually happens when the idp-entity-id as provided by the IdP is not the same as configured on the FortiGate under the SAML settings.
Ensuring that the two match will usually make this error go away.
In some instances, the following workaround can be attempted:
To fix the issue, add a '/' at the end of the URL for idp-entity-id of the SAML config.
Example:
Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id https://sts.windows.net/7....../
end
Non-Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id https://sts.windows.net/7......
end
In the working config, a '/' at the end of the user for IDP entity id in the SAML user configuration was added.
