| Description | This article explains how to fix the issue where the SAML login page fails to load, and SAML debugging on FortiGate displays the error message 'Failed to send SAML request'. |
| Scope | FortiGate, SAML. |
| Solution |
To check this error message take SAML debugs as shown below:
diagnose debug reset diagnose vpn ssl debug-filter src-addr4 x.x.x.x <----- x.x.x.x will be user the public IP. diagnose debug application sslvpn -1 diagnose debug enable
To stop the debugs:
diagnose debug application sslvpn 0 diagnose debug application samld 0 diagnose debug disable diagnose debug reset
The user attempts to log in via SSL VPN using FortiClient or web mode and verifies if the debug logs match the output shown below.
2025-01-30 14:22:38 [257:root:1c7]saml login 455 idp entity: http://www.okta.com/exkjl88mpt1HtmMn7697
To resolve this error, it is necessary to match if the correct SP certificate is used in the IDP configuration or to disable the Service Provider certificate in the SAML configuration.
In GUI:
In CLI:
config user saml end
Related articles: Troubleshooting Tip: Error 'The identifier of a provider is unknown to #LassoServer' for SAML login Troubleshooting Tip: Fix SAML 'access denied' error caused by failure to create SP Technical Tip: FortiGate SAML authentication resource list Troubleshooting Tip: FortiClient SAML authentication when SSL VPN web mode is disabled globally |
