|
There might be a situation that the SAML for the SSLVPN/Admin access to GUI is configured according to the Fortinet documentation, but the authentication is for some reason is not successful.
The proper approach in a such case would be to run the debug for the samld( process responsible for the SAML authentication).
1) Run these debugging commands while connected to fortigate via ssh :
# diag deb reset
# diag debug console timestamp en
# diagnose debug application samld -1
# diag debug enable
2) Trigger SAML authentication.
3) Open the console output file in a text editor.
4) If a string is found in the text file, that means that there is something wrong with the IDP certificate:
Failed to process response message. ret=440(The profile cannot verify a signature on the message)
A solution for such a case would be to:
1) Remove the IDP cert from the SAML config.
2) Delete it from the list of the certificates.
3) Download it again from the IDP and import it.
4) Use that certificate in the SAML config.
|
