FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
agrakov
Staff
Staff
Description

This article describes some of the troubleshooting tips for SSL VPN with SAML authentication. Common errors and possible reasons.

Scope FortiGate, FortiOS 6.4+.
Solution

SP template: SSL-VPN  


# config user saml

    edit "Your_SAML_NAME"

      set entity-id "https://<FortiGate IP/FQDN:port>/remote /saml/metadata/"

      set single-sign-on-url "https://<FortiGate IP/FQDN:port>/remote/saml/login/"

      set single-logout-url "https://<FortiGate IP/FQDN:port>/remote/saml/logout/"
      set idp-entity-id "This link will be provided from the IdP"
      set idp-single-sign-on-url "This link will be provided from the IdP"
      set idp-single-logout-url "This link will be provided from the IdP"

      set idp-cert "This certificate will be provided from the IdP side"

      set user-name “Username”

      set group-name “Groupname”

  end

 

Main debugs for SAML and SSL VPN troubleshooting.

 

These commands enable debugging for 'SAML'


# diagnose debug application samld -1 
(with a debug level of -1 for detailed results)

# diagnose debug enable

To disable debug:

# diagnose debug application samld 0

# diagnose debug disable

# diagnose debug reset

 

These commands enable debugging for 'SSL VPN'


# diagnose debug application sslvpn -1
(with a debug level of -1 for detailed results)

# diagnose debug enable

To disable debug:

# diagnose debug application sslvpn 0

# diagnose debug disable

# diagnose debug reset

 

To list current SSL VPN connections


# execute vpn sslvpn list


To check metadata


# diagnose vpn ssl saml-metadata “Your_SAML”
>>> for SSL VPN
# diagnose sys saml metadata            >>> for admin access


Additionally, use browser plugins that will help in analyzing SAML communication.


Google Chrome.
SAML Chrome Panel:

https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace

SAML Message Decoder:

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

Mozilla Firefox.
SAML-tracer:

https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

SAML Message Decoder:

https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/

 

Case scenario #1 - Not getting redirected to the SSO (IdP) when trying to get access to the SSL VPN.

 

Aashiq_Z_0-1657896898685.png

 

Possible reasons and fixes:

 

1) When there is no policy configured for SAML, FortiGate Firewall will not use SSO and it will not redirect to the IdP side.


Check the policy and make sure that the SAML group is pointed in the policy.

 

2) Portal is configured for the specific realm.


Check the portal mapping.

 

3) The policy is configured, but still redirection to the IdP is not happening.


Disable the policy and re-enable the policy.

4) SAML is configured on SP in the wrong spot.
 
There are two spots where the SAML can be configured on the FortiGate Firewall.

 

# config user saml - is used for FortiGate 'SSL VPN access' can act only as SP


# config system saml -
is used for FortiGate 'Admin access' and can act as SP or IdP

 

for example, empty configuration for 'SSL VPN access' and configured 'Admin Access:

 

# config user saml

  end

 

# config system saml

    set status enable

    set default-profile "admin_no_access"

    set cert “Your_Cert"

    set idp-entity-id "IDP link"

    set idp-single-sign-on-url "IDP link"

    set idp-single-logout-url "IDP link"

    set idp-cert "IDP cert"

    set server-address “Your_Admin_Access_IP/FQDN"

   end

 

Case scenario #2 - Typos: the main issue that will lead to multiple errors.

 

When SAML is configured, both SP and IdP sides must have proper and identical data.

Make sure that proper links are in use, and not missing any values.

1) Error: 403 'app_not_configured_for_the_user'

 

Aashiq_Z_1-1657898887970.png

 

When there is a typo on SP or IdP for SP 'entity ID', IdP side will indicate an error 403 'app_not_configured_for_the_user'.


for example: Comparing both sides, it is seen that the IdP side has an extra '/' while the SP side is missing it in SP entity-ID field.

 

Aashiq_Z_4-1657899018115.png

 

Aashiq_Z_3-1657899000478.png

 

2) Error: 404 'The requested URL was not found on this server'

 

Aashiq_Z_5-1657899096473.png

 

Error 404 'The requested URL was not found on this server' normally indicates the URL used on the SP side for IdP single sign-on is wrong or has typos or missing values.


for example: Comparing both sides SP and IdP (SSO URL), one can see that the SP side has a missing '?' in the idp-single-sign-on-url field.

 

Aashiq_Z_6-1657899173830.png

 

Aashiq_Z_7-1657899200819.png

 

3) Error: 'Invalid request, ACS Url in request <ACS link> doesn't match configured ACS Url <ACS link>'


If there is a typo in ACS URL links, # diagnose debug application samld -1, will indicate an error 'Invalid request, ACS Url in request <ACS link> doesn't match configured ACS Url <ACS link>'.

Invalid request, ACS Url in request https://dragon-armor.grakov.lab:63443/remote/saml/login/ doesn't match configured ACS Url https://dragon-armor.grakov.lab:63443/remote/saml/login.</saml2p:StatusMessage></saml2p:Status></saml2p:Response>

__samld_sp_login_resp [843]: Failed to process response message. ret=450(Generic error when an IdP or an SP return the RequestDenied status code in its response.)

samld_send_common_reply [114]: Code: 1, id: 482, data_len: 117

samld_send_common_reply [122]:     Attr: 22, 8, ��

samld_send_common_reply [122]:     Attr: 23, 93, Generic error when an IdP or an SP return the RequestDenied status code in its response.

 

In the above case:
FortiGate SAML config has ACS URL https://dragon-armor.grakov.lab:63443/remote/saml/login/
while GOOGLE IdP has https://dragon-armor.grakov.lab:63443/remote/saml/login


4) Error: 'The identifier of a provider is unknown to #LassoServer'

 

When there is a typo in the IdP entity ID field, #diag debug application samld -1, will indicate an error 'The identifier of a provider is unknown to #LassoServer'


For example:


__samld_sp_login_resp [843]: Failed to process response message. Ret=-201(The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().)

Samld_send_common_reply [114]: Code: 1, id: 490, data_len: 231

�������end_common_reply [122]:     Attr: 22, 8, 7�������

       ���samld_send_common_reply [122]:     Attr: 23, 207, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().


Comparing both SP and IdP, it is visible that '?' is missing on SP-side in the IdP entity ID field.

 

Aashiq_Z_8-1657899408406.png

 

Aashiq_Z_9-1657899445119.png

 

5) Error: 'No user name info in SAML response or No group info in SAML response'

When there is a typo in attribute mapping, #diag debug application sslvpn -1 output, will indicate that there is No user name info in SAML response or/and No group info in the SAML response

for example:

 

[22973:root:1ee]fsv_saml_login_response:509 No group info in SAML response.

[22973:root:1ee]fsv_saml_login_response:513 No user name info in SAML response. Please check saml configuration.

 

Looking at the SAML debug output, it is visible that groupname and username attributes are proved by IDP, but comparing both sides SP and IdP, In attribute mapping there is a mismatch, as attributes are case sensitive. IdP side has all from the lower case, and on SP side first letters are Capital.

 

Aashiq_Z_10-1657899631204.png

 

 

Aashiq_Z_11-1657899653054.png

 

Case scenario #3 - Error: Failed to verify signature

Example of debug output. 

 

__samld_sp_login_resp [832]:

SP Login Response Msg Body <Response Message>
__samld_sp_login_resp [843]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [114]: Code: 1, id: 465, data_len: 56

�������end_common_reply [122]:     Attr: 22, 8, ��������

       ���samld_send_common_reply [122]:     Attr: 23, 32, Failed to verify signature.


This error appears when the wrong certificate is pointed in the SAML configuration.

For example:


# config user saml

    edit "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

      set idp-cert “ADFS-IDP“ <<<< wrongly pointed certificate, should be GOOGLE-IDP

  end

 

Case scenario #4 - Error: wrong vdom or time expired

#diag debug application sslvpn -1 output, will indicate that time is expired.


[284:root:c]req: /remote/saml/login/

[284:root:c]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired.

[284:root:c]Destroy sconn 0x7f19590da800, connSize=0. (root)


For example: The default remoteauthtimeout value is 5 seconds and it can be too short when two-factor authentication is in use; or the user has a long password that he needs to type, or two-factor authentication has delays with code delivery.

To fix the issue, increase the 'remoteauthtimeout' value to match users environment.


# config system global

    set remoteauthtimeout 60

  end

 

Case scenario #5 - Error: Clock skew issue

 

When there is a difference in time on SP and IdP side # diag debug application samld -1 will indicate errors 'Invalid assertion' and 'Clock skew issue'.


__samld_sp_login_resp [862]: Invalid assertion with 'https://dragon-armor-project.grakov.lab:63443/remote/saml/metadata/'.

__samld_sp_login_resp [866]: Clock skew issue.


for example: When user logs into FortiGate, the error 'FortiGate time is out of sync' is seen.

 

Aashiq_Z_12-1657900412166.png

 

To fix the issue, make sure that time is in sync on both SP and IdP sides.


In some cases, users need to have control over how many seconds can be the difference between SP and IdP. On FortiOS 7.0.4+ clock tolerance option is added.


# config user saml

    edit "Your SAML"
      set clock-tolerance 15 (Clock skew tolerance in seconds (0 - 300, default = 15, 0 = no tolerance)

  end

 

Comments
Raghu_Kumar
Staff
Staff

Really helpful and great kb sir. 

akumar02
Staff
Staff

Thanks Alex, Much needed article!!

Contributors