Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vichu_94
Staff
Staff

Created on ‎05-24-2022 06:42 AM Edited on ‎02-10-2025 03:37 AM By Community Manager

Article Id 212889

Troubleshooting Tip: Error 'The identifier of a provider is unknown to #LassoServer' for SAML login

Description

 

The article describes how to resolve the error message 'The identifier of a provider is unknown to #LassoServer' in the samld logs in the firewall.

 

Scope

 

FortiGate.

 

Solution

Troubleshooting:

 

To view the logs for SAML on the firewall, run the following commands, in case SSLVPN is used:

 

diag debug reset

diag debug console timestamp enable

diag vpn ssl debug-filter src-addr4 x.x.x.x <----- Public IP address of the particular end user who is trying to connect VPN.

diag debug application fnbamd -1

diag debug application sslvpn -1

diag debug application samld -1

diag debug enable

 

This will allow viewing of the SAML logs on the firewall.  The following error in the SAML logs may be seen in this part of the log samld_sp_login_resp:


__samld_sp_login_resp [830]: Failed to process response message. ret=-201(The identifier of a provider is u
nknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_ser
ver_add_provider() or lasso_server_add_provider_from_buffer().)
samld_send_common_reply [91]: Code: 1, id: 1103, pid: 283, len: 239, data_len 223
samld_send_common_reply [99]: Attr: 22, 12, 7
samld_send_common_reply [99]: Attr: 23, 211, The identifier of a provider is unknown to #LassoServer. T
o register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or las
so_server_add_provider_from_buffer().
samld_send_common_reply [119]: Sent resp: 239, pid=283, job_id=1103.
2025-01-03 11:18:55 [283:root:0]epoll saml recv resp error.

This usually happens when the idp-entity-id as provided by the IdP is not the same as configured on the FortiGate under the SAML settings. Ensuring that the two match will usually make this error go away.

 

In some instances, the following workaround can be attempted: to fix the issue, add a '/' at the end of the URL for idp-entity-id of the SAML config.

 

Example:

Working config:


config user saml

edit <Name>           <- Replace Name with the SAML name in the config.

set idp-entity-id https://sts.windows.net/7....../

end 


Non-Working config:

 

config user saml

edit <Name>           <- Replace Name with the SAML name in the config.

set idp-entity-id https://sts.windows.net/7......

end 

 

In the working config, a  '/' at the end of the user for IDP entity id in the SAML user configuration was added.

 

Note:

Tested with FortiGate v7.6.1 version and FortiClient v7.4.2.

 

Related document:

SAML IdP and SP configurations

4709
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.