Created on 11-24-2021 06:03 AM Edited on 02-05-2024 12:50 AM By Jean-Philippe_P
Description | This article describes how to troubleshoot SAML authentication. |
Scope | FortiGate. |
Solution |
There might be a situation that the SAML for the SSLVPN/Admin access to GUI is configured according to the Fortinet documentation, but the authentication is for some reason is not successful.
The proper approach in a such case would be to run the debug for the samld( process responsible for the SAML authentication).
1) Run these debugging commands while connected to fortigate via ssh :
Note.
Before running below mentioned commands, make sure to capture console output to a file.
Follow the related KB article to capture the output in the text file with Putty:
# diag deb reset
# diag debug console timestamp en
# diagnose debug application samld -1
# diag debug enable
2) Trigger SAML authentication.
3) Open the console output file in a text editor.
4) If a string is found in the text file, that means that there is something wrong with the IDP certificate:
Failed to process response message. ret=440(The profile cannot verify a signature on the message)
A solution for such a case would be to: 1) Remove the IDP cert from the SAML config.
2) Delete it from the list of the certificates.
3) Download it again from the IDP and import it.
4) Use that certificate in the SAML config.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.