ZTNA is a secure access solution for remote or on-site users. ZTNA can be implemented with SAML authentication as described in the document below: ZTNA application gateway with SAML authentication example
This article assumes that the initial configuration for ZTNA with SAML authentication has already been completed.
In some cases, the '400 Bad Request' error can show up when attempting to access the ZTNA resource:
 When this error occurs, it is required to check if the correct interface has been specified in the Authentication Rule. FortiGate GUI --> Policy & Objects --> Authentication --> Authentication Rule --> Select the corresponding ZTNA authentication rule.
Incorrect Interface:
 Correct Interface:
 The following debugs can be used to decipher if there is an issue with matching the authentication rule:
diagnose wad debug enable category all diagnose debug enable
[E][p:2311][s:103672][r:35] wad_cp_auth :11015 cannot resolve auth rule id:10 [I][p:2311][s:103672][r:35] __wad_http_build_replmsg_resp :812 Generating replacement message. 400 error repmsg_id 0 [I][p:2311][s:103672][r:35] wad_dump_fwd_http_resp :3036 hreq=0x7f576cd39048 Forward response from Internal:
If the rule matches correctly, the debugs should show the following output instead:
[I][p:2311][s:104325][r:37] wad_auth_rule_match :1315 match auth rule succ: SAML [I][p:2311][s:104325][r:37] wad_http_req_get_user :11380 process=2311 auth-rule=SAML user=/0/0 ip-based/auth-cookie/tran sact=0/1/0 tp_proxy_auth=1 auth_req=(nil) auth_line=0x7f576b09d4c8 [I][p:2311][s:104325][r:37] wad_http_req_get_user :11484 cookie_redir=1/1 user_found=0 [I][p:2311][s:104325][r:37] wad_hauth_saml_build_login_redir :1935 SAML redir cookie.
After confirming the right interface has been specified, the page should change from a '400 Bad Request' error, and the browser will redirect to the corresponding IDP login page:
 Related documents: ZTNA application gateway with SAML authentication example Technical Tip: ZTNA for Corporate hosts with SAML authentication and FortiAuthenticator as IDP
|