|
Step 1: Make sure the URLs are correct and the same on both sides, SP and IdP: Technical Tip: Fix SAML access denied error, failed to create SP
Step 2: If observing that the configuration is correct then collect WAD and SAML debug:
diagnose debug disable
diagnose debug reset
diag wad filter src x.x.x.x
diagnose debug app samld -1
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose wad debug display pid enable
diagnose wad debug enable all
Once the logs are collected disable the WAD and SAML debug:
diagnose wad debug disable
diagnose debug app samld 0
diagnose debug disable
Error logs triggered in debug for the above use case: it can show the error 'Failed to create SP and ERROR SAML processing request'.
"...
samld_process_request [145]: len=551, cmd=0, pid=636, job_id=3967220405
samld_process_request [162]: Received 551, 0x15e4cf0
gen_sp_server [309]: Failed to create SP
samld_send_common_reply [91]: Code: 1, id: -327746891, pid: 636, len: 16, data_len 0
...
[V]2025-07-24 07:55:35.436345 [p:636] saml_ipc_on_read :290 Rcvd 16 bytes from SAMLD: rc=1
[V]2025-07-24 07:55:35.436349 [p:636] hauth_saml_aqueue_key_hash :2335 called
[V]2025-07-24 07:55:35.436353 [p:636] hauth_saml_on_notify :1287 called
[E]2025-07-24 07:55:35.436355 [p:636] hauth_saml_on_notify :1297 ERROR SAML LOGIN session (0x7f170a03ec90) is fail!
[E]2025-07-24 07:55:35.436358 [p:636] hauth_saml_on_notify :1405 ERROR SAML processing request (0x7f170a03ec90) fail
[V]2025-07-24 07:55:35.436361 [p:636] hauth_saml_resume_request :638 called
[E]2025-07-24 07:55:35.436364 [p:636] hauth_saml_resume_request :655 ERROR SAMLD response error: code=-1 msg=(null)
[V]2025-07-24 07:55:35.436367 [p:636] hauth_saml_resume_request :745 called
[I]2025-07-24 07:55:35.436371 [p:636][s:3373895][r:352321566] wad_http_auth_status_proc :11581 authenticate result=failure
[I]2025-07-24 07:55:35.436374 [p:636][s:3373895][r:352321566] __wad_http_build_replmsg_resp :773 Generating replacement message. unknown error repmsg_id 77
...
DC-FW-INT-FG2201E-01 # fnsysctl ls -all /tmp/mnt/wad/saml/
drwx------ 2 0 0 Wed Jul 23 13:57:21 2025 80 .
drwx------ 5 0 0 Tue Jul 15 11:41:29 2025 100 ..
..."
- The workaround is to rename the SAML user:
config user saml
rename <SAML_user> to <New_SAML_user>
end
- The solution is to upgrade to v7.6.0 or later.
|
