FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tpatel
Staff
Staff
Article Id 369275
Description This article describes how to resolve the issue of SSL VPN if a user cannot connect to SSL VPN after accepting MFA with SAML MFA on Azure Entra. 
Scope FortiGate.
Solution

SAML server is configured on FortiGate. 


The user is getting an error of 'Credentials or SSL VPN configuration is wrong (-7200)' on FortiClient after accepting MFA.

Run SAML and SSL VPN debug on FortiGate. 

 

diagnose debug application sslvpn 

diagnose debug application fnbamd 

diagnose debug application samld -1

diagnose debug console timestamp enable

diagnose debug enable

 

Time expired error shows in SAML debug on FortiGate. 

 

[296:root:a881]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
[296:root:a881]fsv_rmt_saml_login_cb:105 SAML resp 10816.
[296:root:a881]fsv_rmt_saml_login_cb:116 magic id: magic=xxxxxxxxxx
[296:root:a881]fsv_rmt_saml_login_cb:143 idx 1 epoch: 2dc672c5d7e48b18
[296:root:a881]fsv_rmt_saml_login_cb:159 wrong vdom (0:0) or time expired.
[296:root:a881]saml login [296:43137] SAML_ERROR: Error occurred during remote login 'wrong vdom (0:0) or time expired'

 

For MFA authentication, verify the remote authentication value. The default remote authentication timeout value is 5 seconds. Increase the timeout value for MFA to 60 seconds. 

 

config system global
    set remoteauthtimeout 60

end