This article provides a solution to the SAML auth error 'Access denied' shown to the end user by the SP/firewall.
Depending on the firmware version, the displayed error might be slightly different.

Run the following debug on the firewall whilst the end user is authenticating:

diagnose debug disable

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug app saml -1
diagnose debug enable

Depending on the setup, another command set might be helpful.

For example, if this is for SSL VPN, add diagnose debug app sslvpn -1 to the command set like:

diagnose debug disable

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug app fnbamd -1

diagnose debug app sslvpn -1

diagnose debug enable

To disable debugs:

  diagnose debug disable  

If this message is seen in the SAML debug from FortiGate CLI:

2023-06-22 07:01:30 [15478:root:57][fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure.ad.sso] in group [test1]
gen_sp_server [325]: Failed to create SP

Check the SAML configuration on the FortiGate. This is usually caused by incorrect 'config user saml' parameters like 'set single-sign-on-url'.

config user saml
    edit "azure.ad.sso"
        set entity-id "https://fgt.local:8443/remote/saml/metadata"
        set single-sign-on-url "https://fgt.local:8443/remote/loginlang=en"
        set single-logout-url "https://fgt.local:8443/remote/saml/logout"

'set single-sign-on-url' is incorrect in this example, it must be https://fgt.local:8443/remote/saml/login
Make sure the URLs are correct and the same on both sides, SP and IdP. They are usually copiable and pasteable on both SP and IdP.

Related articles:

• Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN 
• Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication