Technical Tip : Customer unable to login SSL VPN with SAML, debug showing 'invalid assertion:<URL>'

hlngan · ‎05-24-2022

Description

This article describes what to do when a customer is unable to log in to SSL VPN with SAML, debug showing 'invalid assertion:<URL>'.

Scope

Only the users authenticating via SAML are affected, while other local or non-SAML users are able to authenticate successfully.

Solution

In this case, with running the SAML debug:

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug application samld -1

diagnose debug enable

To Stop the Debug:

diagnose debug disable

When the following appears:

# "invalid assertion:<URL>"

__samld_sp_login_resp [744]: Invalid assertion with "https://<DOMAIN>.com/remote/saml/metadata".

Example:

It mostly indicates that the SAML authentication has a time gap between the IdP and SP.

Review the SP Login Dump and the Assertion Dump:

# _samld_sp_create_auth_req [394]:
**** SP Login Dump ****
<omitted> IssueInstant="<date & time>"

# _samld_sp_login_resp [757]:
**** Assertion Dump ****
<omitted> <Conditions NotBefore="<date & time>" NotOnOrAfter="<date & time>">

Check if there is a difference between the date & time; it should not be a big gap in between. Verify the NTP on the FortiGate as well.

execute time

diagnose sys ntp status

Related articles:
Troubleshooting Tip: How to troubleshoot SAML authentication

You are leaving our website