Description | This articled describes what to do when customer is unable to login SSLVPN with SAML, debug showing "invalid assertion:<URL>". |
Scope | Only the SAML authentication is affected, other user does not, indicated there is problem with SAML user. |
Solution |
In this case, with running the SAML debug:
# diagnose debug app saml -1 diagnose debug en
When you see the following:
# "invalid assertion:<URL>"
__samld_sp_login_resp [744]: Invalid assertion with "https://<DOMAIN>.com/remote/saml/metadata".
Example: It is mostly indicate that the SAML authentication have a time gap between the IdP and SP.
You should review the SP Login Dump and the Assertion Dump:
# _samld_sp_create_auth_req [394]:
# _samld_sp_login_resp [757]:
Check if there is difference between the date & time, it should not be a big gap in between. Verify the NTP on the FortiGate as well.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.