FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vichu_94
Staff
Staff
Article Id 212889

Description

 

The article describes how to resolve the error message 'The identifier of a provider is unknown to #LassoServer' in the samld logs in the firewall.

 

Scope

 

FortiGate.

 

Solution

Troubleshooting:

 

To view the logs for SAML on the firewall, run the following commands:

 

diagnose debug application samld -1

diagnose debug enable

 

This will allow viewing of the SAML logs on the firewall. 

 

The following error in the SAML logs may be seen:


The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add
_provider_from_buffer()

This usually happens when the idp-entity-id as provided by the IdP is not the same as configured on the FortiGate under the SAML settings.

Ensuring that the two match will usually make this error go away.

 

In some instances, the following workaround can be attempted:

 

To fix the issue, add a '/' at the end of the URL for idp-entity-id of the SAML config.

 

Example:

Working config:


config user saml

edit <Name>           <- Replace Name with the SAML name in the config.

set idp-entity-id https://sts.windows.net/7....../

end 


Non-Working config:

 

config user saml

edit <Name>           <- Replace Name with the SAML name in the config.

set idp-entity-id https://sts.windows.net/7......

end 

 

In the working config, a  '/' at the end of the user for IDP entity id in the SAML user configuration was added.