|
A situation may occur in which the SAML for the SSL VPN/Admin access to GUI is configured correctly according to the Fortinet documentation, but the authentication is still not successful.
The proper approach in such a case would be to run the debug for the samld (process responsible for the SAML authentication).
- Run these debugging commands while connected to FortiGate via SSH:
diag deb reset
diag debug console timestamp en
diagnose debug application samld -1
diag debug enable
-
Trigger SAML authentication.
-
Open the console output file in a text editor.
-
If a string is found in the text file, that means that there is something wrong with the IDP certificate:
Failed to process response message. ret=440(The profile cannot verify a signature on the message)
A solution for such a case would be to:
- Remove the IDP cert from the SAML config.
- Delete it from the list of the certificates.
- Download it again from the IDP and import it.
- Use that certificate in the SAML config.
If the issue was related to certificate. After applying the above changes, the authentication now should be successful.
Note: For MFA authentication, verify the remote authentication timeout value. The default remote authentication timeout value is 5 seconds. To increase the timeout value for MFA, use the following commands:
config system global
set remoteauthtimeout 60
end
To collect the SAML logs from the user browser, use SAML extensions:
For Google Chrome:
For Firefox:
SAML-tracer Firefox
Note: Each FortiGate requires a unique Assertion Consumer Service (ACS) URL (e.g., https://<local-ip>:1003/remote/saml/login), which must match the registered URL in Azure AD. Since each FortiGate has a different IP, using a single SAML instance for multiple FortiGates would fail to meet this strict URL binding requirement, leading to authentication failures.
|
