Description |
This article describes some of the troubleshooting tips for SSL VPN with SAML authentication. Common errors and possible reasons. |
Scope | FortiGate, FortiOS 6.4+. |
Solution |
SP template: SSL-VPN
set entity-id "https://<FortiGate IP/FQDN:port>/remote /saml/metadata/" set single-sign-on-url "https://<FortiGate IP/FQDN:port>/remote/saml/login/" set single-logout-url "https://<FortiGate IP/FQDN:port>/remote/saml/logout/" set idp-cert "This certificate will be provided from the IdP side" set user-name “Username” set group-name “Groupname” end
Main debugs for SAML and SSL VPN troubleshooting.
These commands enable debugging for 'SAML'
# diagnose debug enable To disable debug: # diagnose debug application samld 0 # diagnose debug disable # diagnose debug reset
These commands enable debugging for 'SSL VPN'
# diagnose debug enable To disable debug: # diagnose debug application sslvpn 0 # diagnose debug disable # diagnose debug reset
To list current SSL VPN connections
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm Mozilla Firefox. https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/
Case scenario #1 - Not getting redirected to the SSO (IdP) when trying to get access to the SSL VPN.
Possible reasons and fixes:
1) When there is no policy configured for SAML, FortiGate Firewall will not use SSO and it will not redirect to the IdP side.
2) Portal is configured for the specific realm.
3) The policy is configured, but still redirection to the IdP is not happening.
# config user saml - is used for FortiGate 'SSL VPN access' can act only as SP
for example, empty configuration for 'SSL VPN access' and configured 'Admin Access:
# config user saml end
# config system saml set status enable set default-profile "admin_no_access" set cert “Your_Cert" set idp-entity-id "IDP link" set idp-single-sign-on-url "IDP link" set idp-single-logout-url "IDP link" set idp-cert "IDP cert" set server-address “Your_Admin_Access_IP/FQDN" end
Case scenario #2 - Typos: the main issue that will lead to multiple errors.
When SAML is configured, both SP and IdP sides must have proper and identical data.
When there is a typo on SP or IdP for SP 'entity ID', IdP side will indicate an error 403 'app_not_configured_for_the_user'.
2) Error: 404 'The requested URL was not found on this server'
Error 404 'The requested URL was not found on this server' normally indicates the URL used on the SP side for IdP single sign-on is wrong or has typos or missing values.
3) Error: 'Invalid request, ACS Url in request <ACS link> doesn't match configured ACS Url <ACS link>'
__samld_sp_login_resp [843]: Failed to process response message. ret=450(Generic error when an IdP or an SP return the RequestDenied status code in its response.) samld_send_common_reply [114]: Code: 1, id: 482, data_len: 117 samld_send_common_reply [122]: Attr: 22, 8, �� samld_send_common_reply [122]: Attr: 23, 93, Generic error when an IdP or an SP return the RequestDenied status code in its response.
In the above case:
When there is a typo in the IdP entity ID field, #diag debug application samld -1, will indicate an error 'The identifier of a provider is unknown to #LassoServer'
Samld_send_common_reply [114]: Code: 1, id: 490, data_len: 231 �������end_common_reply [122]: Attr: 22, 8, 7������� ���samld_send_common_reply [122]: Attr: 23, 207, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
5) Error: 'No user name info in SAML response or No group info in SAML response'
[22973:root:1ee]fsv_saml_login_response:509 No group info in SAML response. [22973:root:1ee]fsv_saml_login_response:513 No user name info in SAML response. Please check saml configuration.
Looking at the SAML debug output, it is visible that groupname and username attributes are proved by IDP, but comparing both sides SP and IdP, In attribute mapping there is a mismatch, as attributes are case sensitive. IdP side has all from the lower case, and on SP side first letters are Capital.
Case scenario #3 - Error: Failed to verify signature Example of debug output.
__samld_sp_login_resp [832]: SP Login Response Msg Body <Response Message> �������end_common_reply [122]: Attr: 22, 8, �������� ���samld_send_common_reply [122]: Attr: 23, 32, Failed to verify signature.
edit "DRAGON-ARMOR-PROJECT-IDP_GOOGLE" set idp-cert “ADFS-IDP“ <<<< wrongly pointed certificate, should be GOOGLE-IDP end
Case scenario #4 - Error: wrong vdom or time expired #diag debug application sslvpn -1 output, will indicate that time is expired.
[284:root:c]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired. [284:root:c]Destroy sconn 0x7f19590da800, connSize=0. (root)
set remoteauthtimeout 60 end
Case scenario #5 - Error: Clock skew issue
When there is a difference in time on SP and IdP side # diag debug application samld -1 will indicate errors 'Invalid assertion' and 'Clock skew issue'.
__samld_sp_login_resp [866]: Clock skew issue.
To fix the issue, make sure that time is in sync on both SP and IdP sides.
edit "Your SAML" end |
Really helpful and great kb sir.
Thanks Alex, Much needed article!!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.