Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Fortizaid
Staff
Staff

Created on ‎12-11-2025 08:43 AM

Article Id 422728

Technical Tip: SSL VPN login page not loading when using SAML SSO authentication

Description This article describes how to handle a scenario where SAML SSO Authentication is configured for SSL VPN and the login page does not load. Instead, the page displays the '400 Bad Request' error. 
Scope FortiOS 7.4.
Solution

FortiGate is configured to use SAML server for authentication and SSL VPN contains User Groups that are mapped to this SAML server. When trying to log in to the SSL VPN through FortiClient, the internal browser page on the FortiClient does not load. Instead, the following error is observed:

 

400 Bad Request.png

 

Troubleshooting steps to verify and isolate the point of fault:

 

  1. Check the metadata for SSL VPN (FortiGate as SP). Run the following command in the CLI:

 

diagnose vpn ssl saml-metadata "SAML Server Name"

 

diagnose vpn ssl saml-metadata "TEST_PROD_SAML"

stat('/dev/cmdb/.hidden/sslvpn/tmp/1-TEST_PROD_SAML-sp-meta.xml') failed: No such file or directory

 

 

  1. Enable the debug as the client tries to connect:

 

 

diagnose debug console timestamp enable

diagnose debug application sslvpnd -1

diagnose debug enable

 

In the debug output, the following error is observed:

 

VPNFortigate (global) # [8543:VDOM-VPN:0]sslvpn_bind_udp_port:522 port 8900 vfid 1 err=98:Address already in use

 

 

  1. Based on the previous ssl vpn output, the port that is bound to sslvpn is being used by another daemon. Verify which daemon is using this port with the following command:

 

 

diagnose sys udpsock | grep 8900

 

VPNFortigate (global) # diagnose sys udpsock | grep 8900
127.0.0.1:8900->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=587689108 process=21861/ipsengine

 

 

 

  1. Kill the daemon so that it binds to another unused udp socket with the following command:

 

 

 

fnsysctl killall ipsengine

 

Note: Only perform kill actions during maintenance windows to avoid additional downtime. 

 

 

  1. Verify that the UDP port is now being used by an SSL VPN daemon.


VPNFortigate (global) # diagnose sys udpsock | grep 8900
0.0.0.0:8900->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=1574347942 process=18860/sslvpnd

 

 

  1. Connect the FortiClient to SSL VPN and verify that the metadata for SSL VPN is now displaying the SAML information.

 

VPNFortigate (VDOM-VPN) # diagnose vpn ssl saml-metadata "TEST_PROD_SAML"
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="xxxxxxxxxxxx" entityID="https://xxxvpn.fortitest.com:9443/remote/saml/metadata/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xxxvpn.fortitest.com:9443/remote/saml/login"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xxxvpn.fortitest.com:9443/remote/saml/logout"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
</SPSSODescriptor>
</EntityDescriptor>

 

Resolution:

After the port conflict is fixed, the SAML SSO login page loads on the internal browser on the FortiClient.
Labels:
103
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.