Troubleshooting Tip: Cannot login to VPN with the SAML SSO users configured on WatchGuard AuthPoint. Error code: -7200

HiralShah · ‎08-30-2023

Description

This article describes why it is impossible to log in to the VPN with the SAML SSO when users are configured on the WatchGuard side.

Scope

FortiGate.

Solution

When the SSL VPN is configured with SAML using Watchguard AuthPoint as the IDP, users may receive the following error:

Credentials or SSL VPN configuration is wrong (-7200)

Make sure the below configuration matches with the configuration on the Watchguard side. Refer to this link to know how to configure the Watchguard side: Fortinet FortiGate SSL VPN Integration with AuthPoint

config user saml

edit "Test"

set entity-id https://<FortiGate external IP address>:10443/remote/saml/metadata/

set single-sign-on-url "https://<FortiGate external IP address>:10443/remote/saml/login/"

set idp-entity-id "<entityID value from the AuthPoint metadata file>"

set idp-single-sign-on-url "<SingleSignOnService value from the AuthPoint metadata file>"

set idp-single-logout-url "<SingleLogoutService value from the AuthPoint metadata file>"

set idp-cert "REMOTE_Cert_1"

set user-name "username"

Match all of the URLs and the user-name field with the WatchGuard configuration. Keep in mind that all of the fields are case-sensitive.

To get more details on what could be causing this error, it is possible to take a SAML debug while trying to connect.

The commands to do this are:

diagnose debug reset
diagnose debug application saml -1

diagnose debug enable

If the issue persists, contact the TAC team

You are leaving our website