Technical Tip: How to fix crashing SAML daemon

kiri · ‎11-25-2022

Description

This article describes one of the causes that crashes SAMLD every time SAML auth is attempted and how can that be fixed.

Scope

FortiAuthenticator 6.X, 7.X.

Solution

SSL VPN SAML is configured correctly and there is no redirect to the IDP, just the SSL VPN login page timing out at some point.
Running the following debug does not show any SAML activity at all except one event:

# diag debug reset
# diagnose debug cons time en
# diag debug application fnbamd -1
# diagnose debug app sslvpn -1
# diag debug app saml -1
# dia vpn ssl debug-filter src-addr4 <CLIENTPUBLICIP>
# diagnose debug enable

...
[271:root:83][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [Azure] in group [AzureGroup]
...

Crashlog is showing SAMLD crashing every time a SAML auth is attempted:

# diagnose debug crashlog read

...
3613: 2022-11-14 12:46:27 the killed daemon is /bin/samld: status=0x6
...

Saml connector/user has a ECDSA cert configured like Fortinet_SSL_ECDSA256.

A custom cert with ECDSA will cause the same issue:

# show user saml
edit "Azure"
set cert "Fortinet_SSL_ECDSA256"
...

This cert is used to sign SAML messages, and the SAML library used in FortiOS does not support certificates with ECDSA keys.

Replace the cert with 'Fortinet_Factory'.

# config user saml
edit "Azure"
set cert "Fortinet_Factory"
end

Technical Tip: How to fix crashing SAML daemon

You are leaving our website