Description
This article describes common issues and their causes that users may encounter during the setup and validation of a new SAML configuration on the FortiGate, particularly for SSL VPN.
This article presumes that the reader is generally familiar with SAML configuration, including:
- How to generally set up SAML authentication for SSL VPN on the FortiGate.
- The terminology of components that need to be configured for SAML (entity-ids, login & logout URLs, certificates, etc.).
Scope
FortiGate v6.2 and later (SAML & SSL VPN).
Solution
See the table below for common symptoms for SSL VPN SAML issues, and their corresponding common causes.
Note that in general, it is recommended to validate SAML for SSL VPN using web mode first, then proceed with testing tunnel mode using FortiClient.
As well, this article was written with the intent of providing quick guidance for troubleshooters to identify potential problem areas. For configuration guidance, see the following links:
Related documents:
Configuring SAML SSO login for SSL VPN with Azure AD acting as SAML IdP
Troubleshooting Tip: SAML group mismatch issue in SSL VPN
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...Technical Tip: Configuring
SAML SSO login for FortiGate administrators with Okta acting as SAML IdP
Troubleshooting Tip: 'Bad Request' when trying to connect to SAML SSO Login
Troubleshooting Tip: How to troubleshoot SAML authentication
Technical tip: How to fix 'Signature validation failed. SAML Response rejected' error
Technical Tip: Fix SAML access denied error, failed to create SP
Technical Tip: SAML SSL VPN login page failing to load
|
Outcomes |
Possible causes |
| It is possible to connect to the SSL-VPN (web-mode), but the option for SAML login is not visible ('Single Sign-On'). | The configured SAML User (config user saml) may not have been added to a corresponding User Group on the FortiGate, or the SAML User Group that was configured was not added to an appropriate Firewall Policy.
|
| It is possible to authenticate to the SAML IdP (e.g. Azure, Google, Okta, etc.), but after completing authentication an 'ERR_EMPTY_RESPONSE' message in the web browser appears, rather than being redirected back to the SSL-VPN. In the FortiGate SAML debugs, the following message snippet may be observed: 'The identifier of a provider is unknown to #LassoServer.' |
Either:
Or:
|
| The SAML Authentication process can be completed successfully, but then the user has immediately logged out afterward. | This is likely a permission issue at the SAML level. Either:
Or:
Or:
|
| It is possible to authenticate to SAML successfully, but an 'Access Denied' page from the FortiGate appears afterward. | SAML IdP is configured with the wrong SP login URL and ends up redirecting the user to the wrong page on the SP (see Related Links above for guidance on the correct URLs to configure). |
| SAML has been configured for Admin access, but after authenticating, an error appears: 'Single Sign-on Failed. Response validation failed. SAML response rejected'. It is also possible to see the following in the SAML debugs: 'Failed to process response message. ret=440(The profile cannot verify a signature on the message)'. |
The IdP certificate installed on the FortiGate is different than the one that the IdP is currently using. Azure, for example, seems to set one cert when the Enterprise Application is created and then changes it when the settings are updated. Once the IdP certificate is updated to the FortiGate, the issue should be resolved. |
| It is possible to successfully authenticate to SSL VPN when using Web-Mode, but tunnel-mode SSL VPN connections fail. Additionally, check SAML debugs for the following output: [3413:root:eda][fam_auth_send_req_internal:432] Groups sent to FNBAM: |
Likely a FortiClient issue. Recommended to upgrade FortiClient to the latest revision before re-testing. Make sure SSO is enabled in the FortiClient VPN settings. |
| When using Azure as the SAML IdP along with User Group matching, most users can authenticate successfully to the FortiGate. However, some users may fail to authenticate, with SAML debugs indicating that no group info was received in the SAML response. | Azure is limited to sending a total of 150 groups capable of being sent in SAML assertions, including nested groups. If a user's group memberships exceed this limit, Azure will replace the expected group attribute with a same-named attribute with .link appended to it (as per this document), which causes the group matching to fail. The Azure configuration should be updated to limit the list of groups that can be returned to the FortiGate to avoid exceeding this limit. Read this Configure group claims for applications by using Microsoft Entra ID for more info. |
|
On the FortiClient the SAML login button takes time to process, it greys out and when it does there is a blank screen, and the timer gets reset again and again.
|
In this situation, try killing the sslvpnd process and then try the saml connection.
Technical Tip: Find and restart/kill a process on a FortiGate by the process ID (PID) via pidof
Note: Killing the process will cause all the ongoing SSL VPN connections to drop. Users have to connect back again. |
|
VPN users are not able to connect to FortiClient VPN and web mode authentication using the browser and FortiGate returned empty response.
SAML debugs shows error message:[257:root:1c7]fsv_saml_enter:290 Failed to send SAML request. |
In this situation, it is necessary to match if the correct SP certificate is used in the IDP configuration or to disable the Service Provider certificate in the SAML configuration in FortiGate.
Sample to disable the Service Provider certificate:
|
