|
This article uses SAML login as an example.
Once the user enters the credentials and tries to connect, the following outputs will be seen in the FortiGate.
The request will come to the FortiGate and FortiGate will redirect the Client to the IDP for authentication.
Once the IDP authenticates, it will redirect the client to the SP to authorize the user.
The following is a redirection to the SAML IDP by FortiGate. This request is sent to the Client by the FortiGate.
Focus on the following fields from the log:
Destination="https://login.microsoftonline.com/3079dba8-7986-40be-abcb-85db3a9f3872/saml2" <-This is the URL
to redirect to the IDP. It is the Assertion CS URL, which is configured in the FortiGate under IDP configuration.
ID: _838F60F6BF4143F97B99446E866BFDDA <- This is the ID for this request. The complete authentication process
will be identified with this ID.
Issuer: http://10.5.24.116:10443/remote/saml/metadata/ <- This will be the SP URL that is sending the redirection towards IDP
to the Client. This is configured in the SAML SP configuration's Entity ID.
__samld_sp_create_auth_req [447]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
__samld_sp_create_auth_req [467]:
**** AuthnRequest URL ****
https://login.microsoftonline.com/3079dba8-7986-40be-abcb-85db3a9f3872/saml2?SAMLRequest=hZJdb5swFIb%2FCvI9YLBLwEoiJWVokdoNN
dkudjMZOLSW%2FJHZptv%2B%2FQxpu%2FZi3aVfn0c%2B7yOvHVfyzHaTf9B38GMC56NfSmrHlosNmqxmhjvhmOYKHPM9O%2B5ub1ieYHa2xpveSPQKeZ%2FgzoH
1wmgUHeoN%2Bl6SsilwU%2BwbmlHSVKt9VVFafCiLENX1DkVfwbowv0EBD5BzExy081z7EOGcxBmOMTlllBHMSPUNRXXoIDT3C%2FXg%2FdmxNJXmXuhEid4aZ0Z
vtBQakt6olOBVNXS8jFdVWcQUdxDzru%2Fi8mroCK9GUq7ydG6Wo6gxtofF1QaNXDqYN2pDKfEIL0n7ZGUv9CD0%2FftCusuQYx9PpzZuPx9PKNo9S7o22k0K7BH
so%2Bjhy93N30IZTq6SnCZZVrAMU0pSC8p4WFa91EXb9XxgizS7ncn%2Fggo8H7jn6Tp9za4v3%2BRT2P9Qt0aK%2FvcsQ3H%2F73pZki2JGOJxGWWTdmfoxShgC
C2lND%2BvLXAf1Hk7AUq3l0fffsftHw%3D%3D&RelayState=magic%3D229ae47d0cee7bb9
__samld_sp_create_auth_req [481]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID
="_838F60F6BF4143F97B99446E866BFDDA" Version="2.0" IssueInstant="2023-10-03T14:30:39Z" Destination="https://login.microsofto
nline.com/3079dba8-7986-efgh-abcd-932b3a9f3872/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" Proto
colBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://x.x.x.x:10443/remote/sa
ml/login"><saml:Issuer>http://10.5.24.116:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:nam
es:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
__samld_sp_create_auth_req [486]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_838F60F6BF4
143F97B99446E8FDDA" Version="2.0" IssueInstant="2023-10-03T14:30:39Z" Destination="https://login.microsoftonline.com/3079
dba8-7986-40be-abcb-85db3a9f3872/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="ur
n:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://x.x.x.x:10443/remote/saml/login"><sam
l:Issuer>http://x.x.x.x:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1
:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.win
dows.net/3079dba8-7986-40be-abcb-85db3a9f3872/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/3079d
ba8-7986-40be-abcb-85db3a9f3872/saml2?SAMLRequest=hZJdb5swFIb%2FCvI9YLBLwEoiJWVokdoNNdkudjMZOLSW%2FJHZptv%2B%2FQxpu%2FZi3aVf
n0c%2B7yOvHVfyzHaTf9B38GMC56NfSmrHlosNmqxmhjvhmOYKHPM9O%2B5ub1ieYHa2xpveSPQKeZ%2FgzoH1wmgUHeoN%2Bl6SsilwU%2BwbmlHSVKt9VVFafC
iLENX1DkVfwbowv0EBD5BzExy081z7EOGcxBmOMTlllBHMSPUNRXXoIDT3C%2FXg%2FdmxNJXmXuhEid4aZ0ZvtBQakt6olOBVNXS8jFdVWcQUdxDzru%2Fi8mro
CK9GUq7ydG6Wo6gxtofF1QaNXDqYN2pDKfEIL0n7ZGUv9CD0%2FftCusuQYx9PpzZuPx9PKNo9S7o22k0K7BHso%2Bjhy93N30IZTq6SnCZZVrAMU0pSC8p4WFa9
1EXb9XxgizS7ncn%2Fggo8H7jn6Tp9za4v3%2BRT2P9Qt0aK%2FvcsQ3H%2F73pZki2JGOJxGWWTdmfoxShgCC2lND%2BvLXAf1Hk7AUq3l0fffsftHw%3D%3D&a
mp;RelayState=magic%3D229ae47d0cee7bb9</lasso:MsgUrl><lasso:MsgRelayState>magic=229ae47d0cee7bb9</lasso:MsgRelayState><lasso
:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_838F60F6BF4143F97B99446E866BFDDA</lasso:RequestID></lasso:Lo
gin>
This is the response received from the IDP which is received by the Client and is forwarded to the FortiGate.
Here, the SAML Authentication Statement and the SAML Attribute Statement can be seen.
The SAML Authentication Statement shows if the subject is authenticated using a provided authentication assertion method at a given time.
SAML Attribute Statement shows the provided attributes for the user.
Destination="https://10.5.24.116:10443/remote/saml/login" <- Since this is the response from IDP, the destination will be the Assertion CS URL of the SP configured in FGT.
InResponseTo="_838F60F6BF4143F97B99446E866BFDDA" <- This is the ID which the IDP has sent the response for. This will be the ID field from the above request.
IssueInstant="2023-10-03T14:30:43.494Z" <- The time when the Response was sent by the IDP.
Issuer: https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/ <- This will be the Entitity ID of the IDP.
Certificate: This is the IDP certificate imported in the FortiGate. Match this Certificate any Cert errors are encountered.
Recipient="https://x.x.x.x:10443/remote/saml/login" <- This will be same as the destination.
Audience: http://x.x.x.x:10443/remote/saml/metadata/ <- This will be the SP Entity ID.
Attribute Name & Attribute Value will be the attributes that are present in the IDP.
NotBefore="2023-10-03T14:25:43.316Z" NotOnOrAfter="2023-10-03T15:30:43.316Z" <- This is the assertion condition.
__samld_sp_login_resp [832]:
SP Login Response Msg Body
<samlp:Response ID="_e97609ab-3a4e-4999-b3b7-c159fc2fbdc4" Version="2.0" IssueInstant="2023-10-03T14:30:43.496Z" Destination
="https://x.x.x.x:10443/remote/saml/login" InResponseTo="_838F60F6BF4143F97B99446E866BFDDA" xmlns:samlp="urn:oasis:names
:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/3079dba8-5826-40be-abcb
-85db3a9f3872/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><A
ssertion ID="_91d40c9a-b665-42d1-bf93-0784cd894b00" IssueInstant="2023-10-03T14:30:43.494Z" Version="2.0" xmlns="urn:oasis:n
ames:tc:SAML:2.0:assertion"><Issuer>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/</Issuer><Signature xmlns="
http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/
><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="#_91d40c9a-b665-42d1-bf93-0
784cd894b00"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm=
"http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><
DigestValue>2Eteyv/TVn+quL1vcQmerIYAuCYVc0VfT2icwSzChDA=</DigestValue></Reference></SignedInfo><SignatureValue>G6C1yew577xFT
m9S3srKdI0B0Agzkby0WlENQyClWfe4FM6UUoeU/m+48WNjKbC0ZvrdNOp9VITFCDQ+lz5ZyhDyOUfmKEGl68+9s/2zg+uzecVXKOPo6sd2SZuOYSea/8oCUrW8Z
J**bleep**Y1837NIuPVXJkQZchF7E00v/vbMfimmGktr1VYtJO1S9aAAu06t3M+OJ8R4SbGsAGBy4HZrW8XYN3RToeYeGdp3ix9VINNadCIZbHIM1bNYATe3puTlim97
jz5D9J4SCIejJZrjGunn93fSe0f9p1TqZHz51jXW67jtE1L4D6CsjKRXTBZuV2tMDb6xw657DDd7CRr/w==</SignatureValue><KeyInfo><X509Data><X509
Certificate>MIIC8DCCAdigAwIBAgIQGwbw0ONvWIpJReGfr9FgMDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVk
IFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA5MTIxNDEzNTlaFw0yNjA5MTIxNDEzNTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENl
cnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOT2CMuvZNqqufoFBgRv1zS4ukg/kg6PJZkrW4b79LpCBCNT9aXD6lt5wK8z9PHpM3fc
VuQ3OVQKC31435/lEOowWD/Td8mVEeDm62qDVDCaC+iMtwUgZORRFxz8HoujAf+e2OHpAa7BssYtL17XuXnmE5uPlrGAcWzUtDHtJhKum+FhdfEVDNCPMT33d1Dj
AV4UTD562P2+co+m3+3JRQmvkjw6YsI4DWFIV0Gb7tv4ANhAwrlQ2Wz7BrWQKf9166dEPT8WL1h/aDNVNyVfU5GmBe3hC9ZYAXq/vPJ9FBkINyMkRHIMwrNY9RwF
mMBogATS3zH6ap2cQ7zejc1IKQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBQpGlgKCGvb4MEPz8VHDdCePMswdbsdg/E1BNhNXja2VI/cXISpE3TEpx9owJy6qwB
yfQpNcCXPZaLpiDszFfsHSeLBksxR8dgcADTgtBe2VpS2Rn9qOxOjPVVgJdykDfrAqShoGyibZmkeDbLRfPs7nHU8IhJxWq6PWTerxbdZIJTA1ITOrMgWO49xIwe
OJcDKqTVn56K/dkEbyETQua4hPNmNysyOSnKHtoRBloDEN0WN5KVE22V2lkuONptNkBMN8c2MXVoyWusRAIr+7bFau3ap3dJkzy4lsyCtGvBde6M9SzYvjA/5vw3
YMqkozljAwcop78/p+8d8R68kq33</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:S
AML:1.1:nameid-format:emailAddress">xyz.onmicrosoft.com</NameID><SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:
bearer"><SubjectConfirmationData InResponseTo="_838F60F6BF4143F97B99446E866BFDDA" NotOnOrAfter="202
3-10-03T15:30:43.316Z" Recipient="https://x.x.x.x:10443/remote/saml/login"/></SubjectConfirmation></Subject><Conditions
NotBefore="2023-10-03T14:25:43.316Z" NotOnOrAfter="2023-10-03T15:30:43.316Z"><AudienceRestriction><Audience>http://x.x.x.x:10443/remote/saml/metadata/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://sche
mas.microsoft.com/identity/claims/tenantid"><AttributeValue>3079dba8-7986-40be-abcb-85db3a9f3872</AttributeValue></Attribute
><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>096dba4e-b291-47ae-8cc7-437
ca2bcbfe1</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeV
alue>abc</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><Att
ributeValue>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/</AttributeValue></Attribute><Attribute Name="http:
//schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/auth
enticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/clai
ms/wids"><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e85509</AttributeValue></Attribute><Attribute Name="http://schemas.xm
lsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>abc</AttributeValue></Attribute><Attribute Name="http://s
chemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>xyz</AttributeValue></Attribute><Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>abc@abc685gmail.onmicrosoft.com</At
tributeValue></Attribute><Attribute Name="username"><AttributeValue>abc@abc685gmail.onmicrosoft.com</AttributeV
alue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2023-10-02T10:54:34.349Z" SessionIndex="_91d40c9a-b665-4
2d1-bf93-0784cd894b00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClas
sRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
__samld_sp_login_resp [853]:
In the above Login Resp Body, the following is the Attribute Statement. An attribute statement asserts that a subject S has attribute A in namespace N with value(s) V.
<AttributeStatement><Attribute Name="http://sche
mas.microsoft.com/identity/claims/tenantid"><AttributeValue>3079dba8-7986-40be-abcb-85db3a9f3872</AttributeValue></Attribute
><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>096dba4e-b291-47ae-8cc7-437
ca2bcbfe1</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeV
alue>manosh</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><Att
ributeValue>https://sts.windows.net/3079dba8-7986-40be-abcb-85db3a9f3872/</AttributeValue></Attribute><Attribute Name="http:
//schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/auth
enticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/clai
ms/wids"><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e85509</AttributeValue></Attribute><Attribute Name="http://schemas.xm
lsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>abc</AttributeValue></Attribute><Attribute Name="http://s
chemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>abc</AttributeValue></Attribute><Attribute Name="
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>abc@abc685gmail.onmicrosoft.com</At
tributeValue></Attribute><Attribute Name="username"><AttributeValue>abc@abcgmail.onmicrosoft.com</AttributeV
alue></Attribute></AttributeStatement>
This is the Authentication Statement. An authentication statement asserts that a subject S is authenticated to the issuing system using method M at time T.
<AuthnStatement AuthnInstant="2023-10-02T10:54:34.349Z" SessionIndex="_91d40c9a-b665-4
2d1-bf93-0784cd894b00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClas
sRef></AuthnContext></AuthnStatement>
Below are the attribute values that the IDP has sent:
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddre
ss">manosh@manoshgoswami685gmail.onmicrosoft.com</saml:NameID>
</NidAndSessionIndex>
</Session>
samld_send_common_reply [122]: Attr: 17, 27, magic=229ae47d0cee7bb9
samld_send_common_reply [122]: Attr: 18, 29, 2023-10-03T15:30:43.316Z
samld_send_common_reply [118]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' '3079dba8-7986-40be
-abcb-85db3a9f3872'
samld_send_common_reply [118]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '096dba4e-
b291-47ae-8cc7-437ca2bcbfe1'
samld_send_common_reply [118]: Attr: 10, 68, 'http://schemas.microsoft.com/identity/claims/displayname' 'abc'
samld_send_common_reply [118]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://s
ts.windows.net/3079dba8-5486-40be-abcb-85db3a9f3872/'
samld_send_common_reply [118]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schem
as.microsoft.com/ws/2008/48/identity/authenticationmethod/password'
samld_send_common_reply [118]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'b79fbf4d-3
ef9-5238-8143-76b194e85509'
samld_send_common_reply [118]: Attr: 10, 75, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'abc'
samld_send_common_reply [118]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'xyz'
samld_send_common_reply [118]: Attr: 10, 108, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'abc@xyz.onmicrosoft.com'
samld_send_common_reply [118]: Attr: 10, 58, 'username' 'abc@xyz685gmail.onmicrosoft.com' <- This is the attribute added in FortiGate. This attribute will be expected from the IDP.
samld_send_common_reply [122]: Attr: 11, 670, https://login.microsoftonline.com/3079dba8-7986-21ax-abcb-85db3a9f3872/sam
l2?SAMLRequest=fZLNbtswEITvfQqBd0r8k0wStlDHrgEDSQ9N0UMvASXSjgCRdEkayeOHktIiDZCcFljuN5xZ7DoqO17krT%2F7a%2Fph%2FlxNTMWzHV2U88s
GXIOTXsUhSqesiTL18n57dytJieQl%2BOR7P4I3yOeEitGENHgHiuN%2BAx52B0TFgRx2W3LDvu0azIjAgnB2U7M94QQUv0yIeX4DMp6hGK%2Fm6GJSLuUWIhRiB
BH9iZmkSDLxGxT7nGFwKs3UY0qXKKtq9OfBlXbog4%2F%2BlLwbB2fK3tuKopXQneJwJXgDGeoMVF3fQV7rjipxonxFqikZAe16qnI2EdpJOitjVNYlYSXGjcSIM
VoFY30yM1NZk5RWSVXr6i27CH3P%2Bznui4MPVqWPF4dLPHcGDU%2FzqDRWDeNW62BiBK1VzsfHr0s5%2B%2Fik7NDw%2BjwNld79Cz3FfbWx%2FLzYuMj7LJO3d
XTaPLcPAmuGeqFg1zQ1ZERj2J0EhWjFWa%2B5YB1Ci8w78svf7n%2Fn1L4A&RelayState=magic%3D229ae47d0cee7bb9
|
