Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hlngan
Staff
Staff

Created on ‎05-24-2022 08:11 PM

Article Id 212936

Technical Tip : Customer unable to login SSLVPN with SAML, debug showing "invalid assertion:<URL>"

Description This articled describes what to do when customer is unable to login SSLVPN with SAML, debug showing "invalid assertion:<URL>".
Scope Only the SAML authentication is affected, other user does not, indicated there is problem with SAML user.
Solution

In this case, with running the SAML debug:

 

# diagnose debug app saml -1

     diagnose debug en

 

When you see the following:

 

# "invalid assertion:<URL>"

 

__samld_sp_login_resp [744]: Invalid assertion with "https://<DOMAIN>.com/remote/saml/metadata".

 

Example: 

It is mostly indicate that the SAML authentication have a time gap between the IdP and SP.

 

You should review the SP Login Dump and the Assertion Dump:

 

# _samld_sp_create_auth_req [394]:
**** SP Login Dump ****
<omitted> IssueInstant="<date & time>"

 

# _samld_sp_login_resp [757]:
**** Assertion Dump ****
<omitted> <Conditions NotBefore="<date & time>" NotOnOrAfter="<date & time>">

 

Check if there is difference between the date & time, it should not be a big gap in between. Verify the NTP on the FortiGate as well.

 

 

 

1802
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.