Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GeorgeZhong
Staff & Editor
Staff & Editor

Created on ‎12-14-2025 09:29 PM

Article Id 422016

Technical Tip: SAML portal failed to be opened due to '/' contained in the SAML name on FortiGate

Description This article describes an issue where a '/' character in the SAML object name on a FortiGate prevents the device from generating the SAML metadata XML file. As a result, the SAML portal cannot be opened during SSL-VPN or IPsec SAML authentication.
Scope FortiGate, SSL VPN, IPsec, SAML SSO.
Solution

A SAML metadata file on a FortiGate is an XML document that serves as a standardized configuration blueprint for enabling Single Sign-On (SSO) between the FortiGate (acting as the Service Provider, or SP) and an external Identity Provider (IdP), such as Azure AD or Okta.

 

This file contains all the SAML SP and IDP information under the 'config user samlconfiguration on the FortiGate. Details for the SSO configuration can be found in the document: Configuring SAML SSO.

 

When the SSO configuration is saved, FortiGate will automatically generate the SAML metadata file, which can be verified by 'diagnose vpn ssl saml-metadata "<SAML HERE>"'. Reference: Technical Tip: How to check metadata for SAML authentication 

 

For example, when the following configuration is applied:

 

config user saml
    edit "IPsec SAML"
       set cert "Fortinet_Factory"
       set entity-id "http://10.56.242.195:9443/remote/saml/metadata/"
       set single-sign-on-url "https://10.56.242.195:9443/remote/saml/login"
       set single-logout-url "https://10.56.242.195:9443/remote/saml/logout"
       set idp-entity-id "https://sts.windows.net/942b80cd-1b14-42a1-8dcf-4b21dece61ba/"
       set idp-single-sign-on-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"
       set idp-single-logout-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"
       set idp-cert "REMOTE_Cert_1"
       set user-name "username"
       set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
       set digest-method sha1
    next
end

 

The Metadata XML file can be viewed as below:

 

site1 # diagnose vpn ssl saml-metadata "IPsec SAML"
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://10.56.242.195:9443/remote/saml/metadata/">
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIE4zCCA8ugAwIBAgIEAlM4XzANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8G
A1UEChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEb
MBkGA1UEAxMSZm9ydGluZXQtc3ViY2EyMDAxMSMwIQYJKoZIhvcNAQkBFhRzdXBw
b3J0QGZvcnRpbmV0LmNvbTAgFw0yMzA5MTAwNTUzMzlaGA8yMDU2MDUyNjIwNDgz
M1owgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MRIwEAYDVQQLDAlGb3J0aUdh
dGUxGTAXBgNVBAMMEEZHVk0wMjAwMDAxMzc5NjIxIzAhBgkqhkiG9w0BCQEWFHN1
cHBvcnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA5izbfCPGFuYSyQkqUFAerMnl5N25MmLmQGNa4zZ40dYvbZUt4dAPd4vSAPku
JylgxL7PFo4zsehOR/MObYNv/7Mj57bY/1hrc5jWj0dg0X7MRw2yHmIty1sjsP3L
CD+uxJbTzfRBUwVv6MtIqO4/htUrz5nd9VJ1lZI+eKjw1+69obbLKj+bFH85WprK
hvdaOWWOUgK3NgBZJVqSeOKLtkEsqHK62IvuG64oIX3puST3kCX9JNzoae6Btj4k
2VhuDGpu4CDHAXYVM8DtAq1dyqZ6tiF7awyol4XAfrXq8yjkLs4Qy01/vTkpaZT/
wemzz6B0Wcl39FVnd0kePdnk/QIDAQABo4IBFzCCARMwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUuGwfpxg2qOHE3y/iPw8pxnbjiJYwgdMGA1UdIwSByzCByIAUmCsl
PDDKLCtW59v8WTOz3D1batehgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxETAPBgNVBAoTCEZvcnRp
bmV0MR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFTATBgNVBAMTDGZv
cnRpbmV0LWNhMjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5jb22C
AiABMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAUBOIau5vv9rD
HEFLTyMK+bI9jAs7ZxAtPKfKqqmjzh1bzo3h6eC9Xx5lr2D/tf0WNlMUpf6/nGrP
sPzprTlJltAqJ5CQ4T/h8oV7TQyCMUfhNI/7lRwsb/knw4XRuz4unpRRhtpaOx4X
x0vbjRXewB/t02HPRB63+FwEKheyXfMwyD59qJWfJH/SKhX58kvuS3pSzlQqajT0
lMKViHyDjq63SF9qLnnyM7wLHbhqtKG89ptaFJO8MhjwZQl0CjAF9uQ93wZoKHBS
2u9X2M9reNEfXJtohmQhIwdGkeumn0GGNHcukN098oPuKlUY+pQRaToZ2SF9SjSo
qaSIN8GcIA==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIE4zCCA8ugAwIBAgIEAlM4XzANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8G
A1UEChMIRm9ydGluZXQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEb
MBkGA1UEAxMSZm9ydGluZXQtc3ViY2EyMDAxMSMwIQYJKoZIhvcNAQkBFhRzdXBw
b3J0QGZvcnRpbmV0LmNvbTAgFw0yMzA5MTAwNTUzMzlaGA8yMDU2MDUyNjIwNDgz
M1owgZ0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQH
DAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MRIwEAYDVQQLDAlGb3J0aUdh
dGUxGTAXBgNVBAMMEEZHVk0wMjAwMDAxMzc5NjIxIzAhBgkqhkiG9w0BCQEWFHN1
cHBvcnRAZm9ydGluZXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA5izbfCPGFuYSyQkqUFAerMnl5N25MmLmQGNa4zZ40dYvbZUt4dAPd4vSAPku
JylgxL7PFo4zsehOR/MObYNv/7Mj57bY/1hrc5jWj0dg0X7MRw2yHmIty1sjsP3L
CD+uxJbTzfRBUwVv6MtIqO4/htUrz5nd9VJ1lZI+eKjw1+69obbLKj+bFH85WprK
hvdaOWWOUgK3NgBZJVqSeOKLtkEsqHK62IvuG64oIX3puST3kCX9JNzoae6Btj4k
2VhuDGpu4CDHAXYVM8DtAq1dyqZ6tiF7awyol4XAfrXq8yjkLs4Qy01/vTkpaZT/
wemzz6B0Wcl39FVnd0kePdnk/QIDAQABo4IBFzCCARMwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUuGwfpxg2qOHE3y/iPw8pxnbjiJYwgdMGA1UdIwSByzCByIAUmCsl
PDDKLCtW59v8WTOz3D1batehgaukgagwgaUxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTdW5ueXZhbGUxETAPBgNVBAoTCEZvcnRp
bmV0MR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFTATBgNVBAMTDGZv
cnRpbmV0LWNhMjEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5jb22C
AiABMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAUBOIau5vv9rD
HEFLTyMK+bI9jAs7ZxAtPKfKqqmjzh1bzo3h6eC9Xx5lr2D/tf0WNlMUpf6/nGrP
sPzprTlJltAqJ5CQ4T/h8oV7TQyCMUfhNI/7lRwsb/knw4XRuz4unpRRhtpaOx4X
x0vbjRXewB/t02HPRB63+FwEKheyXfMwyD59qJWfJH/SKhX58kvuS3pSzlQqajT0
lMKViHyDjq63SF9qLnnyM7wLHbhqtKG89ptaFJO8MhjwZQl0CjAF9uQ93wZoKHBS
2u9X2M9reNEfXJtohmQhIwdGkeumn0GGNHcukN098oPuKlUY+pQRaToZ2SF9SjSo
qaSIN8GcIA==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://10.56.242.195:9443/remote/saml/login"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://10.56.242.195:9443/remote/saml/logout"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
</SPSSODescriptor>
</EntityDescriptor>

 

The above example is for a normal scenario. 

 

There has been a scenario where if the SAML name contains a '/', such as 'IPsec/saml', the Metadata file will not be generated due to an I/O error. For example, when following the SAML configuration is made through the CLI, an I/O error is observed when saving the config.

 

site1 # config user saml
site1 (saml) # edit "IPsec/saml"


new entry 'IPsec/saml' added


site1 (IPsec/saml) # set cert "Fortinet_Factory"
site1 (IPsec/saml) # set entity-id "http://10.56.242.195:9443/remote/saml/metadata/"
site1 (IPsec/saml) # set single-sign-on-url "https://10.56.242.195:9443/remote/saml/login"
site1 (IPsec/saml) # set single-logout-url "https://10.56.242.195:9443/remote/saml/logout"
site1 (IPsec/saml) # set idp-entity-id "https://sts.windows.net/942b80cd-1b14-42a1-8dcf-4b21dece61ba/"
site1 (IPsec/saml) # set idp-single-sign-on-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"
site1 (IPsec/saml) # set idp-single-logout-url "https://login.microsoftonline.com/942b80cd-1b14-42a1-8dcf-4b21dece61ba/saml2"
site1 (IPsec/saml) # set idp-cert "REMOTE_Cert_1"
site1 (IPsec/saml) # set user-name "username"
site1 (IPsec/saml) # set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
site1 (IPsec/saml) # set digest-method sha1
site1 (IPsec/saml) # next
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
I/O error : No such file or directory
Failed to chmod /tmp/sslvpn/tmp/0-IPsec/saml-idp-meta.xml err: No such file or directory.
Failed to setuid or setgid /tmp/sslvpn/tmp/0-IPsec/saml-idp-meta.xml err: No such file or directory.
Failed to chmod /tmp/sslvpn/tmp/0-IPsec/saml-sp-meta.xml err: No such file or directory.
Failed to setuid or setgid /tmp/sslvpn/tmp/0-IPsec/saml-sp-meta.xml err: No such file or directory.
saml_gen_attr_data can not open /tmp/sslvpn/tmp/0-IPsec/saml-saml-attr.dat
Failed to gen attr data for saml user 'IPsec/saml' in vdom 0
site1 (saml) # end

 

From the error code, it is clear to see that the SAML metadata XML file name is '0-IPsec/saml-idp-meta.xml', which contains a '/' originated from the SAML name in the configuration. The slash is interpreted as a directory separator, breaking the filesystem path. This results in the 'No such file or directory' errors. 

 

When checking the Metadata file by the following command, the same error will be observed:

 

site1 # diagnose vpn ssl saml-metadata "IPsec/saml"
stat('/dev/cmdb/.hidden/sslvpn/tmp/0-IPsec/saml-sp-meta.xml') failed: No such file or directory

 

When this SAML setting 'IPsec/saml' is being used by SSL VPN or IPsec SAML authentication, the following error will be seen in the SAML debug:

 

site1 # diagnose debug application samld -1

site1 # diagnose debug enable

site1 # samld_process_request [145]: len=445, cmd=0, pid=2066, job_id=564262
samld_process_request [162]: Received 445, 0x563878031ed0
gen_sp_server [307]: Failed to create SP
samld_send_common_reply [91]: Code: 1, id: 564262, pid: 2066, len: 16, data_len 0
samld_send_common_reply [119]: Sent resp: 16, pid=2066, job_id=564262.
samld_process_request [145]: len=445, cmd=0, pid=2066, job_id=564262
samld_process_request [162]: Received 445, 0x563878031ed0
gen_sp_server [307]: Failed to create SP
samld_send_common_reply [91]: Code: 1, id: 564262, pid: 2066, len: 16, data_len 0
samld_send_common_reply [119]: Sent resp: 16, pid=2066, job_id=564262.

 

On the FortiClient side, the SAML logon page will not be opened and will get the following errors when doing an IPsec connection:

 2025-12-06 11_53_41-Spice Javascript client.png

 

For SSL VPN SAML authentication, the following error will be observed.

 

2025-12-06 11_54_23-&amp;#39;400 Bad Request&amp;#39; error when tryi... - Fortinet Community.png

 

To avoid having this issue, it is suggested to avoid containing '/' in the SAML name on the FortiGate.

 

If the configuration contains '/' already exists, simply removing the '/' from the name won't fix the issue since the invalid metadata file was never created in the first place. To resolve this issue, deleting the problematic SAML entry and reconfiguring a new SAML entry without '/' is required as it will rewrite the Metadata file to the file system. Then, the command 'diagnose vpn ssl saml-metadata "<SAML HERE>"' can be used to verify whether the file has been saved properly or not.
138
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.