| Description |
This article describes some of the troubleshooting tips for SSL VPN with SAML authentication. Common errors and possible reasons. |
| Scope | FortiGate, FortiOS v6.4+. |
| Solution |
SP template: SSL VPN.
set entity-id "https://<FortiGate IP/FQDN:port>/remote /saml/metadata/" set single-sign-on-url "https://<FortiGate IP/FQDN:port>/remote/saml/login/" set single-logout-url "https://<FortiGate IP/FQDN:port>/remote/saml/logout/" set idp-cert "This certificate will be provided from the IdP side" set user-name "Username" set group-name "Groupname" end
Main debugs for SAML and SSL VPN troubleshooting.
These commands enable debugging for 'SAML'
diagnose debug console timestamp enable diagnose debug application samld -1 --> With a debug level of -1 for detailed results. diagnose debug enable
To disable the debug:
diagnose debug application samld 0 diagnose debug disable diagnose debug reset
These commands enable debugging for 'SSL VPN':
diagnose debug console timestamp enable diagnose debug enable
To disable the debug:
diagnose debug application sslvpn 0 diagnose debug disable diagnose debug reset
These commands enable debugging for 'web UI', if SSLVPN web mode is used or Admin UI login:
diagnose debug console timestamp enable diagnose debug enable
Note: The application debugs can and should be combined to create a reference of actions that each process is doing and handing over to another. creating them one by one can break the understanding of the created logs.
For example, to enable debugging for SSL VPN web mode, this set can greatly help in understanding how SAML is handled:
diagnose debug console timestamp enable diagnose debug application samld -1 diagnose debug application httpsd -1 diagnose debug enable
To list current SSL VPN connections:
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm
Mozilla Firefox. https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/
Case scenario 1: Not getting redirected to the SSO (IdP) when trying to get access to the SSL VPN.
Possible reasons and fixes:
The policy is configured, but still, redirection to the IdP is not happening.
config user saml<----- Is used for FortiGate 'SSL VPN access' which acts only as SP. config system saml<----- Is used for FortiGate 'Admin access' which acts as SP or IdP.
For example, empty configuration for 'SSL VPN access' and configured 'Admin Access:
config user saml end
config system saml set status enable set default-profile "admin_no_access" set cert "Your_Cert" set idp-entity-id "IDP link" set idp-single-sign-on-url "IDP link" set idp-single-logout-url "IDP link" set idp-cert "IDP cert" set server-address "Your_Admin_Access_IP/FQDN" end
Case scenario 2: Typos: the main issue that will lead to multiple errors.
When SAML is configured, both SP and IdP sides must have proper and identical data.
Error: 403 'app_not_configured_for_the_user'
When there is a typo on SP or IdP for SP 'entity ID', IdP side will indicate an error 403 'app_not_configured_for_the_user'.
Error 404 'The requested URL was not found on this server' normally indicates the URL used on the SP side for IdP single sign-on is wrong or has typos or missing values.
__samld_sp_login_resp [843]: Failed to process response message. ret=450(Generic error when an IdP or an SP return the RequestDenied status code in its response.) samld_send_common_reply [114]: Code: 1, id: 482, data_len: 117 samld_send_common_reply [122]: Attr: 22, 8, �� samld_send_common_reply [122]: Attr: 23, 93, Generic error when an IdP or an SP return the RequestDenied status code in its response.
In the above case:
Samld_send_common_reply [114]: Code: 1, id: 490, data_len: 231 �������end_common_reply [122]: Attr: 22, 8, 7������� ���samld_send_common_reply [122]: Attr: 23, 207, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
[22973:root:1ee]fsv_saml_login_response:509 No group info in SAML response. [22973:root:1ee]fsv_saml_login_response:513 No user name info in SAML response. Please check saml configuration.
Looking at the SAML debug output, it is visible that group name and username attributes are proved by IDP, but comparing both sides SP and IdP, In attribute mapping there is a mismatch, as attributes are case-sensitive. IdP side has all from the lower case, and on the SP side first letters are capitalized.
The following error is also observed after the redirection when there is a difference in the 'group-name' configured. Under 'config user saml' settings, ensure that the 'group-name' value is as per the configuration in Azure.
Case scenario 3: Error: Failed to verify signature. Example of debug output.
__samld_sp_login_resp [832]: SP Login Response Msg Body <Response Message> �������end_common_reply [122]: Attr: 22, 8, �������� ���samld_send_common_reply [122]: Attr: 23, 32, Failed to verify signature.
edit "DRAGON-ARMOR-PROJECT-IDP_GOOGLE" set idp-cert "ADFS-IDP" <-- Wrongly pointed certificate, should be GOOGLE-IDP. end
Case scenario 4: Error: wrong vdom or time expired. diagnose debug application sslvpn -1 output, which will indicate that time is expired.
[284:root:c]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired. [284:root:c]Destroy sconn 0x7f19590da800, connSize=0. (root)
set remoteauthtimeout 60 end
Case scenario 5: Error: Clock skew issue.
When there is a difference in system time on the SP and IdP side diagnose debug application samld -1 will indicate errors 'Invalid assertion' and 'Clock skew issue'.
__samld_sp_login_resp [866]: Clock skew issue.
To fix the issue, make sure that time is in sync on both the SP and IdP sides.
The time difference should not exist. Timestamped debug can help to spot this.
edit "Your SAML" end |
