FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the log that gets generated when trying to access the FortiGate with SSO administrator account via SSH/telnet stating the username of the administrator is invalid.
Scope
FortiGate.
Solution
The Single Sign-on (SSO) administrator account works fine with GUI login but seems to fail when login is done via SSH.
This can appear in the logs as shown below:
date=2023-11-06 time=12:14:26 devid="FG201Fxxxxxxxxxx" devname="FGT_Test_Primary" eventtime=1699290866478902761 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="music@fortinet.com" ui="ssh(169.254.0.1)" method="ssh" srcip=169.254.0.1 dstip=169.254.0.5 action="login" status="failed" reason="name_invalid" msg="Administrator music@fortinet.com login failed from ssh(169.254.0.1) because of invalid user name"
The SSO login requires a browser window redirect to IdP for the user login.
This is expected/normal behavior since SSH terminal emulators do not have the integration at the application level to open a browser to get authentication done and pass the information to the SSH terminal emulator.
Administrator SSO login will work only for GUI access, but not SSH, telnet or console.
