|
SSL VPN SAML is configured correctly, and there is no redirect to the IDP, just the SSL VPN login page timing out at some point.
Running the following debug does not show any SAML activity at all except one event:
diagnose debug reset
diagnose debug console time enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug application saml -1
diagnose vpn ssl debug-filter src-addr4 <CLIENTPUBLICIP>
diagnose debug enable
To stop the debug, use the command given below:
diagnose debug disable
diagnose debug reset
...
[271:root:83][fsv_found_saml_server_name_from_auth_lst:121] Found SAML server [Azure] in group [AzureGroup]
...
Crashlog is showing SAMLD crashing every time a SAML auth is attempted:
diagnose debug crashlog read
...
3613: 2022-11-14 12:46:27 the killed daemon is /bin/samld: status=0x6
...
Saml connector/user has an ECDSA cert configured like Fortinet_SSL_ECDSA256.
A custom cert with ECDSA will cause the same issue:
show user saml
edit "Azure"
set cert "Fortinet_SSL_ECDSA256"
...
This cert is used to sign SAML messages, and the SAML library used in FortiOS does not support certificates with ECDSA keys.
Replace the cert with 'Fortinet_Factory'.
config user saml
edit "Azure"
set cert "Fortinet_Factory"
end
|
