| Description |
This article describes the solution to troubleshoot the error 'do_http_validate:440 method (POST) on uri ... not allowed' when trying to connect to the SSL VPN tunnel using a SAML credential. |
| Scope | FortiGate, FortiClient. |
| Solution |
Upon connecting to the SSL VPN tunnel using SAML, this error message can be encountered before reaching to the SAML login page:
When enabling the SAML and SSL VPN debug on the FortiGate with the following commands:
diagnose debug reset diagnose vpn ssl debug-filter src-addr4 x.x.x.x <--- x.x.x.x = endpoint's public IP. diagnose debug application sslvpn -1 diagnose debug application saml -1 diagnose debug enable
The following debug message can be seen:
[31038:root:62][fsv_found_saml_server_name_from_auth_lst:128] Found SAML server [FAC_SAML] in group [Test-group]
This error is most likely due to the inclusion of the SSL VPN realm portion in the SP's URLs during the SAML configuration. By design, the SSL VPN realm will not be called in the SAML exchange. For example, here is the SAML configuration on the FortiGate:
config user saml edit "FAC_SAML" set entity-id "http://10.9.11.6:44343/test/remote/saml/metadata/" set single-sign-on-url "https://10.9.11.6:44343/test/remote/saml/login" set single-logout-url "https://10.9.11.6:44343/test/remote/saml/logout" set idp-entity-id "http://10.9.10.235/saml-idp/fgtsp/metadata/" set idp-single-sign-on-url "https://10.9.10.235/saml-idp/fgtsp/login/" set idp-single-logout-url "https://10.9.10.235/saml-idp/fgtsp/logout/" set idp-cert "REMOTE_Cert_1" set user-name "username" set group-name "group" set digest-method sha1 next end
Be sure to remove the portion in red in the SAML configuration on both the SP and IdP sides. Realm is only used to connect to different SSL VPN portals, it does not have anything to do with the SAML configuration. |
