FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dwickramasinghe1
Article Id 402457
Description This article describes how to troubleshoot the '400 Bad Request' error message with ZTNA SAML Authentication.
Scope FortiGate, FortiClient, ZTNA.
Solution

ZTNA is a secure access solution for remote or on-site users. ZTNA can be implemented with SAML authentication as described in the document below:
ZTNA application gateway with SAML authentication example

This article assumes that the initial configuration for ZTNA with SAML authentication has already been completed.

In some cases, the '400 Bad Request' error can show up when attempting to access the ZTNA resource:

400Forbidden.png
When this error occurs, it is required to check if the correct interface has been specified in the Authentication Rule.
FortiGate GUI --> Policy & Objects --> Authentication --> Authentication Rule --> Select the corresponding ZTNA authentication rule.

Incorrect Interface: 


IncorrectInterface.png
Correct Interface:

CorrectInterface.png
The following debugs can be used to decipher if there is an issue with matching the authentication rule:

 

diagnose wad debug enable category all
diagnose debug enable

[E][p:2311][s:103672][r:35] wad_cp_auth :11015 cannot resolve auth rule id:10
[I][p:2311][s:103672][r:35] __wad_http_build_replmsg_resp :812 Generating replacement message. 400 error repmsg_id 0
[I][p:2311][s:103672][r:35] wad_dump_fwd_http_resp :3036 hreq=0x7f576cd39048 Forward response from Internal:

 

If the rule matches correctly, the debugs should show the following output instead:

 

[I][p:2311][s:104325][r:37] wad_auth_rule_match :1315 match auth rule succ: SAML
[I][p:2311][s:104325][r:37] wad_http_req_get_user :11380 process=2311 auth-rule=SAML user=/0/0 ip-based/auth-cookie/tran
sact=0/1/0 tp_proxy_auth=1 auth_req=(nil) auth_line=0x7f576b09d4c8
[I][p:2311][s:104325][r:37] wad_http_req_get_user :11484 cookie_redir=1/1 user_found=0
[I][p:2311][s:104325][r:37] wad_hauth_saml_build_login_redir :1935 SAML redir cookie.

 

After confirming the right interface has been specified, the page should change from a '400 Bad Request' error, and the browser will redirect to the corresponding IDP login page:

SAMLAUTH.png
Related documents:
ZTNA application gateway with SAML authentication example
Technical Tip: ZTNA for Corporate hosts with SAML authentication and FortiAuthenticator as IDP