This article explains a scenario where SAML authentication is configured correctly, but the user receives an error when connecting to the SSL VPN with SAML authentication. A workaround is included.

When the user connects to SSL VPN using SAML authentication, the error message 'login page did not respond within time limit' appears during the first attempt, followed by an 'ERR_EMPTY_RESPONSE' error. However, the user can connect on the second attempt without any errors.

Various reasons:

1. This timeout limit will appear if the user’s password has not been entered within a specified period or when the authentication to the SAML identity provider takes longer than the timeout configured on the FortiGate.  

To prevent the issue from occurring, increase the remote authentication timeout accordingly to the following CLI commands:

config system global  

    set remoteauthtimeout 60     

end

2. The IdP configuration has the incorrect URLs set for the FortiGate SP, resulting in SAML responses getting misdirected. For the LassoServer message, double-check the entity-id and idp-entity-id to confirm if IDP's settings are identical. 

    

To verify the config on both sides, refer to the article below:

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...