Description
This article describes configuring SAML on FortiGate while security fabric is enabled on downstream FortiGate displays the error 'Cannot change this setting in SP when Security Fabric is enabled'.
Error Message:
Cannot change this setting in SP when Security Fabric is enabled
(configuration-sync is in default mode and saml-sync is default)
and is not the root of fabric.
object set operator error, -333, roll back the setting
Command fail. Return code -333
Scope
FortiGate
Solution
The error occurs when the leaf firewall is getting SAML configuration from the root FortiGate and it eventually, will not allow to configure other SAML configurations and display the error.
In order to configure a different SAML configuration other than the root FortiGate.
The SAML Single Sign-On option can be moved from Auto to Manual.
After changing the above setting, then the SAML configuration can be changed successfully.
# config system saml
set status enable
set cert "Fortinet_Factory"
set idp-entity-id "http://X.X.X.X/saml-idp/csf_ngc_some_random_string_ivhehwu37fml20/metadata/"
set idp-single-sign-on-url "https://X.16.106.74/csf_ngc_some_random_string_ivhehwu37fml20/login/"
set idp-single-logout-url "https://X.16.106.74/saml-idp/csf_ngc_some_random_string_ivhehwu37fml20/logout/"
set idp-cert "REMOTE_Cert_1"
set server-address "X.16.106.74:12443"
end
