Description
The article describes how to resolve the error message 'The identifier of a provider is unknown to #LassoServer' in the samld logs in the firewall.
Scope
FortiGate.
Solution
Troubleshooting:
To view the logs for SAML on the firewall, run the following commands in case SSL VPN is used:
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ssl debug-filter src-addr4 x.x.x.x <----- Public IP address of the particular end user who is trying to connect VPN.
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug application samld -1
diagnose debug enable
This will allow viewing of the SAML logs on the firewall. The following error in the SAML logs may be seen in this part of the log samld_sp_login_resp:
__samld_sp_login_resp [830]: Failed to process response message. ret=-201(The identifier of a provider is u
nknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_ser
ver_add_provider() or lasso_server_add_provider_from_buffer().)
samld_send_common_reply [91]: Code: 1, id: 1103, pid: 283, len: 239, data_len 223
samld_send_common_reply [99]: Attr: 22, 12, 7
samld_send_common_reply [99]: Attr: 23, 211, The identifier of a provider is unknown to #LassoServer. T
o register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or las
so_server_add_provider_from_buffer().
samld_send_common_reply [119]: Sent resp: 239, pid=283, job_id=1103.
2025-01-03 11:18:55 [283:root:0]epoll saml recv resp error.
This usually happens when the idp-entity-id as provided by the IdP, is not the same as configured on the FortiGate under the SAML settings. Ensuring that the two match will usually make this error go away.
In some instances, the following workaround can be attempted: to fix the issue, add a '/' at the end of the URL for idp-entity-id of the SAML config.
In other cases, HTTPS is used on FortiGate's idp-entity-id configuration, but HTTP is configured in IdP configuration. It is mandatory to use the same configuration on both FortiGate and IdP.
Example 1:
Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id https://sts.windows.net/7....../
end
Non-Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id https://sts.windows.net/7......
end
In the working config, a '/' at the end of the user for IdP entity ID in the SAML user configuration was added.
Example 2:
Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id http://sts.windows.net/7......
end
Non-Working config:
config user saml
edit <Name> <- Replace Name with the SAML name in the config.
set idp-entity-id https://sts.windows.net/7......
end
In the working config, HTTP is used in the URL to match the configurations on IdP.
Note:
Tested with FortiGate v7.6.1 version and FortiClient v7.4.2.
Related document:
SAML IdP and SP configurations
