|
After upgrading to v7.4.3, v7.4.4, or v7.6.0, SSL VPN users utilizing Azure SAML authentication may encounter VPN connection issues due to the 'authd' daemon consuming high CPU.
This issue arises when the idp-single-logout-url is not configured under the SAML settings.
Sample SAML Configuration:
config user saml
edit "Azure_SSO"
set entity-id "http://192.168.1.99:1003/remote/saml/metadata/"
set single-sign-on-url "https://192.168.1.99:1003/remote/saml/login/"
set single-logout-url "https://192.168.1.99:1003/remote/saml/logout/"
set idp-entity-id "https://sts.windows.net/*****************************/"
set idp-single-sign-on-url "https://login.microsoftonline.com/*******************/saml2"
set idp-cert "AZURE-IdP-Cert"
set user-name "username"
set group-name "group"
set digest-method sha1
next
The problem can be verified by examining the logs as outlined below:
diagnose sys top 3 40
Run Time: 13 days, 0 hours and 5 minutes
50U, 0N, 2S, 46I, 0WA, 0HI, 2SI, 0ST; 3962T, 1754F
authd 18336 R 99.9 0.4 0
Killing the 'authd' daemon (fnsysctl killall authd) temporarily reduces CPU utilization significantly. However, CPU usage spikes again when a user attempts to initiate a SAML VPN connection.
This issue has been resolved in versions:
- 7.2.11 (scheduled to be released in February).
- 7.4.5 (available in support portal).
- 7.6.1 (available in support portal).
Note that these timelines for firmware release are estimates and may be subject to change.
Workaround:
Configure 'idp-single-logout-url' under SAML configuration using the below commands.
config user saml
edit <name>
set idp-single-logout-url "<Logout URL>"
end
Logs required by FortiGate TAC for investigation:
- Debugs:
diagnose debug application authd -1
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug enable
Reproduce the issue.
diagnose debug disable
diagnose sys top 2 100 <-- Press control+C to stop.
- TAC Report:
execute tac report
- Configuration file of the FortiGate.
|
