Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP when Security Fabric is enabled'

KumarV · ‎07-05-2022

Description

This article describes configuring SAML on FortiGate while security fabric is enabled on downstream FortiGate displays the error 'Cannot change this setting in SP when Security Fabric is enabled'.

Error Message:

Cannot change this setting in SP when Security Fabric is enabled
(configuration-sync is in default mode and saml-sync is default)
and is not the root of fabric.
object set operator error, -333, roll back the setting
Command fail. Return code -333

This is located under Security Fabric -> Fabric Connectors -> Security Fabric Setup.

Scope

FortiGate

Solution

The error occurs when the leaf firewall is getting SAML configuration from the root FortiGate and it eventually, will not allow to configure other SAML configurations and display the error.

In order to configure a different SAML configuration other than the root FortiGate.

The SAML Single Sign-On option can be moved from Auto to Manual. Select Security Fabric -> Fabric Connectors -> Security Fabric Setup -> edit it -> select Single Sign-On Settings.

After changing the setting above, it will be possible to successfully change the SAML configuration.

config system saml

set status enable

set cert "Fortinet_Factory"

set idp-entity-id "http://X.X.X.X/saml-idp/csf_ngc_some_random_string_ivhehwu37fml20/metadata/"

set idp-single-sign-on-url "https://X.16.106.74/csf_ngc_some_random_string_ivhehwu37fml20/login/"

set idp-single-logout-url "https://X.16.106.74/saml-idp/csf_ngc_some_random_string_ivhehwu37fml20/logout/"

set idp-cert "REMOTE_Cert_1"

set server-address "X.16.106.74:12443"

end

Related articles:

Technical Tip: How to fix crashing SAML daemon
Technical Tip: How to read SAML Debug output