|
FortiGate supports only Service Provider (SP)-initiated SAML SSO, as it provides better security and control over the login process. When users attempt to authenticate via IdP/Proxy-initiated SAML logins, the authentication will fail, resulting in an error.
This occurs because FortiGate lacks the necessary context about the specific resource the user is trying to access. The FortiGate only recognizes that the user is seeking authentication, but without knowing the intended resource, the login cannot proceed.
When an attempt is made to log into FortiGate using IdP/Proxy-initiated SAML SSO, the following errors may be seen in CLI debugs. Error "Bad request error" will be seen on GUI login page.
diagnose debug application samld -1
diagnose debug application httpsd -1
diagnose debug enable
[httpsd 12538 - 1728926322 info] fweb_debug_init[451] -- New POST request for "/saml/" from "10.2.2.8:52606"
[httpsd 12538 - 1728926322 info] fweb_debug_init[453] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0
.0.0 Safari/537.36"
[httpsd 12538 - 1728926322 info] fweb_debug_init[455] -- Handler "saml-sp-handler" assigned to request
[httpsd 12538 - 1728926322 error] saml_sp_acs_handler[823] -- Error in SP ACS handler. SAML_SP_LOGIN_DUMP is not found in cookie
It is recommended to always initiate SAML authentication from the FortiGate (SP) side to ensure proper SAML SSO authentication.
This approach allows FortiGate to manage and validate the authentication securely, reducing the risk of phishing, replay attacks, and session fixation to gain unauthorized access.
Refer to the below KB article to configure Service Provider (SP) initiated SAML SSO login on FortiGate:
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
|
