FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seshuganesh
Staff
Staff
Article Id 270891
Description

This article describes how to troubleshoot the SAML 'no relate state' error.

Scope All supported versions of FortiOS.
Solution

Consider an example of a requirement to configure SAML for SSL-VPN authentication.

 

The SP is FortiGate and the IDP is Azure. All basic configuration has been performed, but authentication still fails.

For basic debugging, the following commands have already been used:

 

diag debug application samld -1

diag debug enable

 

In the SAML debug, the 'no relate state' error appeared.

 

Understanding this error requires the context of 'relate states'. In SAML in SP, SSO is initiated for every request sent from SP to IDP. When the IDP responds, it is supposed to send the 'relate state' ID. When it responds through SAML tracer, the log should be seen in response.

In response to this ID, the IDP should send attributes as shown below:


<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_e44ab73c-3e04-438f-b47d-297123e9760e"
Version="2.0"
IssueInstant="2023-08-04T13:51:34.316Z"
Destination="https://10.5.23.224:10443/remote/saml/login"
InResponseTo="_61DF7C1BFB33E1B946C602279CACC82B"

 

This header will only be sent in response to an SP initiated SSO. IDP initiated SSO will not return this log in the SAML response.

FortiGate does not support IDP initiated SSO at the time of this article being published.

 

The only difference in configuration is the IDP URL given by IDP team, which means the correct IDP entity ID URL can be kept under the 'config user saml' settings. Take the IDP entity ID URL from the IDP team for an SP initiated SSO.

 

Use the same URL in the above settings. Afterwards, the issue should be resolved.