| Description | This article describes the possible reasons for SSL VPN connection with SAML authentication when the error 'Bad Request' appears with Azure or DUO or any other Identity provider (IDP). |
| Scope | FortiGate. |
| Solution |
When trying to connect to the SSL VPN with SAML authentication, the error 'Bad request' appears using FortiClient.
Or, when trying to connect with the option 'use external browser as user agent for saml login' checked in the FortiClient, it shows like this:
This issue can happen if the SAML is not configured properly the FortiGate. This can be verified by checking the debugs on a FortiGate CLI session.
diag debug application sslvpn -1 diag debug application samld -1 diag debug console timestamp enable diag debug enable <- Starts the debugs.
diag debug reset diag debug disable <- Stops the debugs.
The debugs show that the SAML is not redirecting and it stops immediately as it starts.
This issue often happens if the SAML is not specified as a member in the user group under 'config user group'. First, make sure the 'config user saml' is properly configured without any typos or spaces in the URLs.
config user saml edit "SAML" set cert " Fortinet_Factory" set entity-id "https://<IP-or-FQDN:443>/remote/saml/metadata/" set single-sign-on-url "https://<IP-or-FQDN:443>/remote/saml/login/" set single-logout-url "https://<IP-or-FQDN:443>/remote/saml/logout/" set idp-entity-id "<DUO-Entity-ID-URL >" set idp-single-sign-on-url "<DUO-Single-Sign-On-URL>" set idp-single-logout-url "<DUO-Single-Log-Out-URL>" set idp-cert "REMOTE_Cert_1" set user-name "Username" set group-name "Group" set digest-method sha1 next end
After, the 'config user group' should specify this SAML as shown below:
Or from the CLI:
config user group edit "SAML_grp" set member "SAML" next end
Also, make sure this user group is specified in the policy.
This error can also occur if the IdP certificate is incorrect. Ensure that the correct certificate is uploaded and selected in the SSO connection settings.
Related articles: |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR (on-premise)
- FortiNAC-F
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiTester
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: 'Bad Request' when trying to ...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.