This article describes some of the troubleshooting tips for SSL VPN with SAML authentication. Common errors and possible reasons.

SP template: SSL VPN.

config user saml
    edit "Your_SAML"

      set entity-id "https://<FortiGate IP/FQDN:port>/remote /saml/metadata/"

      set single-sign-on-url "https://<FortiGate IP/FQDN:port>/remote/saml/login/"

      set single-logout-url "https://<FortiGate IP/FQDN:port>/remote/saml/logout/"
      set idp-entity-id "This link will be provided from the IdP"
      set idp-single-sign-on-url "This link will be provided from the IdP"
      set idp-single-logout-url "This link will be provided from the IdP"

      set idp-cert "This certificate will be provided from the IdP side"

      set user-name "Username"

      set group-name "Groupname"

  end

Main debugs for SAML and SSL VPN troubleshooting.

These commands enable debugging for 'SAML' 

diagnose debug console timestamp enable

diagnose debug application samld -1 <----- With a debug level of -1 for detailed results.

diagnose debug enable

To disable the debug:

diagnose debug application samld 0

diagnose debug disable

diagnose debug reset

These commands enable debugging for 'SSL VPN':

diagnose debug console timestamp enable
diagnose debug application sslvpn -1 <----- With a debug level of -1 for detailed results.

diagnose debug application tvc -1

diagnose debug enable

To disable the debug:

diagnose debug application sslvpn 0

diagnose debug disable

diagnose debug reset

These commands enable debugging for 'web UI', if SSL VPN web mode is used, or Admin UI login:

diagnose debug console timestamp enable
diagnose debug application httpsd -1 --> With a debug level of -1 for detailed results.

diagnose debug enable

Note:

The application debugs can and should be combined to create a reference of actions that each process is doing and handing over to another. creating them one by one can break the understanding of the created logs.

For example, to enable debugging for SSL VPN web mode, this set can greatly help in understanding how SAML is handled:

diagnose debug console timestamp enable

diagnose debug application samld -1

diagnose debug application httpsd -1
diagnose debug application sslvpn -1

diagnose debug enable

To list current SSL VPN connections:

execute vpn sslvpn list

To check metadata:

diagnose vpn ssl saml-metadata "Your_SAML" <----- For SSL VPN.
diagnose sys saml metadata            <----- For admin access.

Additionally, use browser plugins that will help in analyzing SAML communication.

Google Chrome.
SAML Chrome Panel: https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace

SAML Message Decoder: https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

Mozilla Firefox.
SAML-tracer: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

SAML Message Decoder: https://addons.mozilla.org/en-US/firefox/addon/saml-message-decoder-extension/

Case scenario 1: Not getting redirected to the SSO (IdP) when trying to get access to the SSL VPN.

Possible reasons and fixes:

1. When there is no policy configured for SAML, FortiGate Firewall will not use SSO and it will not redirect to the IdP side.

Check the policy and make sure that the SAML group is pointed in the policy.

2. The Portal is configured for the specific realm.

Check the portal mapping.

The policy is configured, but still, redirection to the IdP is not happening.

Disable the policy and re-enable the policy.

4. SAML is configured on SP in the wrong section. There are two sections where SAML can be configured on the FortiGate.

config user saml<----- Is used for FortiGate 'SSL VPN access', which acts only as SP.

config system saml<----- Is used for FortiGate 'Admin access,' which acts as SP or IdP.

For example, empty configuration for 'SSL VPN access' and configured 'Admin Access:

config user saml

end

config system saml

    set status enable

    set default-profile "admin_no_access"

    set cert "Your_Cert"

    set idp-entity-id "IDP link"

    set idp-single-sign-on-url "IDP link"

    set idp-single-logout-url "IDP link"

    set idp-cert "IDP cert"

    set server-address "Your_Admin_Access_IP/FQDN"

end

Case scenario 2: Typos: the main issue that will lead to multiple errors.

When SAML is configured, both the SP and IdP sides must have proper and identical data.

1. Make sure that proper links are in use and not missing any values.

Error: 403 'app_not_configured_for_the_user'

When there is a typo on SP or IdP for SP 'entity ID', the IdP side will indicate an error 403 'app_not_configured_for_the_user'.

For example: Comparing both sides, it is seen that the IdP side has an extra '/' while the SP side is missing it in the SP entity-ID field.

2. Error: 404 'The requested URL was not found on this server'.

Error 404 'The requested URL was not found on this server' normally indicates that the URL used on the SP side for IdP single sign-on is wrong or has typos or is missing values.

For example: Comparing both sides of SP and IdP (SSO URL), one can see that the SP side has a missing '?' in the idp-single-sign-on-url field.

3. Error: 'Invalid request, ACS URL in request <ACS link> doesn't match configured ACS Url <ACS link>'. If there is a typo in ACS URL links, diagnose debug application samld -1, will indicate an error 'Invalid request, ACS URL in request <ACS link> doesn't match configured ACS URL <ACS link>'.

Invalid request, ACS Url in request https://dragon-armor.grakov.lab:63443/remote/saml/login/ doesn't match configured ACS Url https://dragon-armor.grakov.lab:63443/remote/saml/login.</saml2p:StatusMessage></saml2p:Status></saml2p:Response>

__samld_sp_login_resp [843]: Failed to process response message. ret=450(Generic error when an IdP or an SP return the RequestDenied status code in its response.)

samld_send_common_reply [114]: Code: 1, id: 482, data_len: 117

samld_send_common_reply [122]:     Attr: 22, 8, ��

samld_send_common_reply [122]:     Attr: 23, 93, Generic error when an IdP or an SP return the RequestDenied status code in its response.

In the above case:
FortiGate SAML config has ACS URL https://dragon-armor.grakov.lab:63443/remote/saml/login/ 
while GOOGLE IdP has https://dragon-armor.grakov.lab:63443/remote/saml/login.

4. Error: 'The identifier of a provider is unknown to #LassoServer' When there is a typo in the IdP entity ID field, diagnose debug application samld -1, will indicate an error 'The identifier of a provider is unknown to #LassoServer'

For example:

__samld_sp_login_resp [843]: Failed to process response message. Ret=-201(The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().)

Samld_send_common_reply [114]: Code: 1, id: 490, data_len: 231

�������end_common_reply [122]:     Attr: 22, 8, 7�������

       ���samld_send_common_reply [122]:     Attr: 23, 207, The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().

Comparing both SP and IdP, it is visible that '?' is missing on SP-side in the IdP entity ID field.

5. Error: 'No user name info in SAML response or No group info in SAML response'. When there is a typo in the attribute mapping of 'config user saml', the 'diagnose debug application sslvpn -1' output will indicate that there is no attribute that can be mapped to the "user-name" in the username info in the SAML response or/and no group info in the SAML response

For example:

[22973:root:1ee]fsv_saml_login_response:509 No group info in SAML response.

[22973:root:1ee]fsv_saml_login_response:513 No user name info in SAML response. Please check saml configuration.

Looking at the SAML debug output, it is visible that group name and username attributes are provided by IDP, but comparing both sides, SP and IdP, In attribute mapping there is a mismatch, as attributes are case-sensitive. IdP side has all from the lower case, and on the SP side first letters are capitalized.

The following error is also observed after the redirection when there is a difference in the 'group-name' configured. Under 'config user saml' settings, ensure that the 'group-name' value is as per the configuration in Azure.

Case scenario 3: Error: Failed to verify signature.

Example of debug output. 

__samld_sp_login_resp [832]:

SP Login Response Msg Body <Response Message>
__samld_sp_login_resp [843]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [114]: Code: 1, id: 465, data_len: 56

�������end_common_reply [122]:     Attr: 22, 8, ��������

       ���samld_send_common_reply [122]:     Attr: 23, 32, Failed to verify signature.

This error appears when the wrong certificate is pointed in the SAML configuration.

For example:

config user saml

    edit "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

        set idp-cert "ADFS-IDP" <-- Wrongly pointed certificate, should be GOOGLE-IDP.

end

Case scenario 4: Error: wrong vdom or time expired.

diagnose debug application sslvpn -1 output, which will indicate that time is expired.

[284:root:c]req: /remote/saml/login/

[284:root:c]fsv_rmt_saml_login_cb:116 wrong vdom (0:0) or time expired.

[284:root:c]Destroy sconn 0x7f19590da800, connSize=0. (root)

For example, The default remoteauthtimeout value is 5 seconds, and it can be too short when two-factor authentication is in use, or the user has a long password that he needs to type, or two-factor authentication has delays with code delivery.

To fix the issue, increase the 'remoteauthtimeout' value to match the user's environment.

config system global

    set remoteauthtimeout 60

end

Case scenario 5: Error: Clock skew issue.

When there is a difference in system time on the SP and IdP side diagnose debug application samld -1 will indicate errors 'Invalid assertion' and 'Clock skew issue'.

__samld_sp_login_resp [862]: Invalid assertion with 'https://dragon-armor-project.grakov.lab:63443/remote/saml/metadata/'.

__samld_sp_login_resp [866]: Clock skew issue.

for example: When an admin logs into FortiGate, the error 'FortiGate time is out of sync' may be seen.

To fix the issue, make sure that time is in sync on both the SP and IdP sides.

In some cases, users need to have control over how many seconds the difference can be between SP and IdP. On FortiOS v7.0.4+ clock tolerance option is added. This should be used as a workaround only.

The time difference should not exist. Timestamped debug can help to spot this.

config user saml

    edit "Your SAML"
        set clock-tolerance 15 <----- Clock skew tolerance in seconds (0 - 300, default = 15, 0 = no tolerance).

end