Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
arahman
Staff
Staff

Created on ‎12-19-2024 05:18 AM Edited on ‎11-11-2025 09:51 PM By Community Manager

Article Id 365087

Troubleshooting Tip: '400 Bad Request' error when trying to connect to SAML SSO Login

Description This article describes the possible reasons for an SSL VPN connection with SAML authentication when the error 'Bad Request' appears with Azure or DUO, or any other Identity Provider (IDP).
Scope FortiGate.
Solution

When trying to connect to the SSL VPN with SAML authentication, the error 'Bad request' appears using FortiClient.

 

Kb 8.3.png

 

Or, when trying to connect with the option 'use external browser as user agent for saml login' checked in the FortiClient, it shows like this:

 

Kb 8.1.png

 

This issue can happen if the SAML is not configured properly the FortiGate. This can be verified by checking the debugs on a FortiGate CLI session.

 

diagnose debug application sslvpn -1

diagnose debug application samld -1

diagnose debug console timestamp enable

diagnose debug enable            <- Starts the debugs.

 

diagnose debug reset 

diagnose debug disable           <- Stops the debugs.

 

The debugs show that the SAML is not redirecting and it stops immediately as it starts.

 

 Kb 8.5.png

 

This issue often happens if the SAML is not specified as a member in the user group under 'config user group'.

First, make sure the 'config user saml' is properly configured without any typos or spaces in the URLs.

 

config user saml

    edit "SAML"

        set cert " Fortinet_Factory"

        set entity-id "https://<IP-or-FQDN:443>/remote/saml/metadata/"

        set single-sign-on-url "https://<IP-or-FQDN:443>/remote/saml/login/"

        set single-logout-url "https://<IP-or-FQDN:443>/remote/saml/logout/"

        set idp-entity-id "<DUO-Entity-ID-URL >"

        set idp-single-sign-on-url "<DUO-Single-Sign-On-URL>"

        set idp-single-logout-url "<DUO-Single-Log-Out-URL>"

        set idp-cert "REMOTE_Cert_1"

        set user-name "Username"

        set group-name "Group"

        set digest-method sha1

    next

end

 

After, the 'config user group' should specify this SAML as shown below:

 

Kb 8.6.PNG

 

Or from the CLI:

 

config user group   

    edit "SAML_grp"       

        set member "SAML"   

        next

    end

 

Also, make sure this user group is specified in the policy.

 

Kb 8.7.PNG

 

This error can also occur if the IdP certificate is incorrect. Ensure that the correct certificate is uploaded and selected in the SSO connection settings.

 

Additionally, ensure that web mode is enabled globally and on the portal.

 

config system global

    set sslvpn-web-mode enable

end

 

config vpn ssl web portal

    edit "portal-name"

        set web-mode enable

 next

end

 

Related articles:

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP

Technical Tip: IdP/Proxy Initiated SAML SSO Login is Not Supported for FortiGate Login

Technical Tip: SSL VPN web mode showing '400 and 403 Forbidden' error
5564
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.