This article describes some of the troubleshooting tips for SSL VPN with SAML authentication. Common errors and possible reasons.

SP template: SSL VPN.

config user saml
    edit "Your_SAML"

      set entity-id "https://<FortiGate IP/FQDN:port>/remote /saml/metadata/"

      set single-sign-on-url "https://<FortiGate IP/FQDN:port>/remote/saml/login/"

      set single-logout-url "https://<FortiGate IP/FQDN:port>/remote/saml/logout/"
      set idp-entity-id "This link will be provided from the IdP"
      set idp-single-sign-on-url "This link will be provided from the IdP"
      set idp-single-logout-url "This link will be provided from the IdP"

      set idp-cert "This certificate will be provided from the IdP side"

      set user-name "Username"

      set group-name "Groupname"

  end

Main debugs for SAML and SSL VPN troubleshooting.

These commands enable debugging for the SAML process: 

diagnose debug console timestamp enable

diagnose debug application samld -1

diagnose debug enable

To disable the debug:

diagnose debug application samld 0

diagnose debug disable

diagnose debug reset

These commands enable debugging for 'SSL VPN':

diagnose debug console timestamp enable

diagnose vpn ssl debug-filter src-addr4 <ipv4-address> <----- Filter by a specific source IP.
diagnose debug application sslvpn -1

diagnose debug application tvc -1 <----- if FortiGate acting as an SSL VPN client.

diagnose debug enable

To disable the debug:

diagnose debug disable

diagnose debug reset

diagnose vpn ssl debug-filter clear

If SAML is in use for Administrator UI login rather than VPN:

diagnose debug console timestamp enable

diagnose debug application samld -1

diagnose debug application httpsd -1

diagnose debug enable

Debugs for the httpsd process should be taken by an administrator logged in using a different method, such as SSH or console.

Note:

Application debugs for multiple processes can and should be taken together to provide a clear sequence of diagnostics for each process during a particular login attempt. Collecting them one by one may not allow an administrator to reconstruct a complete authentication attempt.

For example, to enable debugging for SSL VPN authentication using SAML, collect simultaneous diagnostics for both samld and sslvpn.

diagnose debug console timestamp enable

diagnose debug application samld -1

diagnose debug application sslvpn -1

diagnose debug enable

To list current SSL VPN connections:

execute vpn sslvpn list

To check metadata:

diagnose vpn ssl saml-metadata "Your_SAML" <----- For SSL VPN.
diagnose sys saml metadata            <----- For admin access.

Additionally, use browser plugins that will help in analyzing SAML communication.

Google Chrome.
SAML Chrome Panel: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace

SAML Message Decoder: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

Mozilla Firefox.
SAML-tracer: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

SAML Message Decoder: https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/

Case scenario 1: Not getting redirected to the SSO (IdP) when trying to get access to the SSL VPN.

Possible reasons and fixes:

1. When there is no firewall policy configured with a user group referencing a SAML server, FortiGate Firewall will not use SSO and it will not redirect to the IdP side.

Check SSL VPN firewall policies and make sure that the SAML group is pointed in the policy.

2. The Portal is configured for the specific realm.

Check the portal mapping.

The policy is configured, but still, redirection to the IdP is not happening.

Disable the policy and re-enable the policy.

4. SAML is configured on SP in the wrong section. There are two sections where SAML can be configured on the FortiGate.

config user saml <----- Is used for FortiGate SSL VPN access, which acts only as SP.

config system saml <----- Is used for FortiGate administrative access, and can act as SP or IdP.

For example, empty configuration for 'SSL VPN access' and configured 'Admin Access:

config user saml

end

config system saml

    set status enable

    set default-profile "admin_no_access"

    set cert "Your_Cert"

    set idp-entity-id "IDP link"

    set idp-single-sign-on-url "IDP link"

    set idp-single-logout-url "IDP link"

    set idp-cert "IDP cert"

    set server-address "Your_Admin_Access_IP/FQDN"

end

Case scenario 2: Typos: the main issue that will lead to multiple errors.

When SAML is configured, both the SP and IdP sides must have proper and identical data.

1. Make sure that proper links are in use and not missing any values.

Error: 403 'app_not_configured_for_the_user'

When there is a typo on SP or IdP for SP 'entity ID', the IdP side will indicate an error 403 'app_not_configured_for_the_user'.

For example: Comparing both sides, it is seen that the IdP side has an extra '/' while the SP side is missing it in the SP entity-ID field.

2. Error: 404 'The requested URL was not found on this server'.

Error 404 'The requested URL was not found on this server' normally indicates that the URL used on the SP side for IdP single sign-on is wrong or has typos or is missing values.

For example: Comparing both sides of SP and IdP (SSO URL), one can see that the SP side has a missing '?' in the idp-single-sign-on-url field.

3. Error: 'Invalid request, ACS URL in request <ACS link> doesn't match configured ACS Url <ACS link>'. If there is a typo in ACS URL links, diagnose debug application samld -1, will indicate an error 'Invalid request, ACS URL in request <ACS link> doesn't match configured ACS URL <ACS link>'.

Invalid request, ACS Url in request https://dragon-armor.grakov.lab:63443/remote/saml/login/ doesn't match configured ACS Url https://dragon-armor.grakov.lab:63443/remote/saml/login.</saml2p:StatusMessage></saml2p:Status></saml2p:Response>

__samld_sp_login_resp [843]: Failed to process response message. ret=450(Generic error when an IdP or an SP return the RequestDenied status code in its response.)

samld_send_common_reply [114]: Code: 1, id: 482, data_len: 117

samld_send_common_reply [122]:     Attr: 22, 8, ��

samld_send_common_reply [122]:     Attr: 23, 93, Generic error when an IdP or an SP return the RequestDenied status code in its response.

In the above case:
FortiGate SAML config has ACS URL https://dragon-armor.grakov.lab:63443/remote/saml/login/ 
while GOOGLE IdP has https://dragon-armor.grakov.lab:63443/remote/saml/login.

4. Error: 'The identifier of a provider is unknown to #LassoServer' When there is a typo in the IdP entity ID field, diagnose debug application samld -1, will indicate an error 'The identifier of a provider is unknown to #LassoServer'

For example:

__samld_sp_login_resp [843]: Failed to process response message. Ret=-201(The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().)

Samld_send_common_reply [114]: Code: 1, id: 490, data_len: 231

�������end_common_reply [122]:     Attr: 22, 8, 7�������

       ���samld_send_common_reply [122]:     Attr: 23, 207, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().

Comparing both SP and IdP, it is visible that '?' is missing on SP-side in the IdP entity ID field.

5. Error: 'No user name info in SAML response or No group info in SAML response'. When there is a typo in the attribute mapping of 'config user saml', the 'diagnose debug application sslvpn -1' output will indicate that there is no attribute that can be mapped to the "user-name" in the username info in the SAML response or/and no group info in the SAML response

For example:

[22973:root:1ee]fsv_saml_login_response:509 No group info in SAML response.

[22973:root:1ee]fsv_saml_login_response:513 No user name info in SAML response. Please check saml configuration.

FortiOS SAML debug output will display any group names and user name attributes provided by IDP. These can be compared to FortiGate 'config user saml' configuration for a mismatch. Note that SAML attributes are case-sensitive. In the example below, the IDP side has lowercase attributes, but the FortiGate is misconfigured to expect a capitalized attribute.

The following error is also observed after the redirection when there is a difference in the 'group-name' configured. Under 'config user saml' settings, ensure that the 'group-name' value is as per the configuration in Azure.

Case scenario 3: Error: Failed to verify signature.

Example of debug output. 

__samld_sp_login_resp [832]:

SP Login Response Msg Body <Response Message>
__samld_sp_login_resp [843]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [114]: Code: 1, id: 465, data_len: 56

�������end_common_reply [122]:     Attr: 22, 8, ��������

       ���samld_send_common_reply [122]:     Attr: 23, 32, Failed to verify signature.

This error appears when the wrong remote certificate is referenced in the SAML configuration.

For example:

config user saml

    edit "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

        set idp-cert "ADFS-IDP" <-- incorrect certificate, should be GOOGLE-IDP.

end

Case scenario 4: Error: wrong vdom or time expired.

diagnose debug application sslvpn -1 output, which will indicate that time is expired.

[284:root:c]req: /remote/saml/login/

[284:root:c]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired.

[284:root:c]Destroy sconn 0x7f19590da800, connSize=0. (root)

For example, The default remoteauthtimeout value is 5 seconds, and it can be too short when two-factor authentication is in use, or the user has a long password that he needs to type, or two-factor authentication has delays with code delivery.

To fix the issue, increase the 'remoteauthtimeout' value to match the user's environment.

config system global

    set remoteauthtimeout 60

end

Case scenario 5: Error: Clock skew issue.

When there is a difference in system time on the SP and IdP side, 'diagnose debug application samld -1' will indicate errors 'Invalid assertion' and 'Clock skew issue'.

__samld_sp_login_resp [862]: Invalid assertion with 'https://dragon-armor-project.grakov.lab:63443/remote/saml/metadata/'.

__samld_sp_login_resp [866]: Clock skew issue.

for example: When an admin logs into FortiGate, the error 'FortiGate time is out of sync' may be seen.

To fix the issue, make sure that time is in sync on both the SP and IdP sides.

In some cases, users need to have control over how many seconds the difference can be between SP and IdP. On FortiOS v7.0.4+ clock tolerance option is added. This should be used as a workaround only.

config user saml

    edit "Your SAML"
        set clock-tolerance 15 <----- Clock skew tolerance in seconds (0 - 300, default = 15, 0 = no tolerance).

end

Case Scenario 6: Error: Failed to process response message. Signature element not found.

After upgrading FortiGate to v7.2.12, v7.4.9, v7.6.4 or later, a previously working SAML authentication may fail if the IDP does not sign SAML response messages, since SAML response message validation is enforced on these firmware versions.

IDP sig verify is required for response and assertions
__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)
samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49
samld_send_common_reply [101]:     Attr: 22, 12, e
samld_send_common_reply [101]:     Attr: 23, 37, Signature element not found.
samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.

See the KB article Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.6.4 and v7.2.12 for more information on the change.

Related documents:

• SAML SSO configuration from Web GUI - FortiGate administration guide
• Technical Tip: How to fix crashing SAML daemon (SAML daemon crashing when ECC or DSA certificates ar...
• Technical Tip: How to read SAML Debug output
• Technical Tip: A basic explanation of SAML authentication
• Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...
• SAML SSO configuration from Web GUI - FortiGate administration guide
• Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting a...
• Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP
• SAML SSO with Security Fabric - FortiGate administration guide
• Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP wh...
• Technical Tip: Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP)
• Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP
• Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) f...
• Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1
• Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
• Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...