Description

This article provides a workaround when it is not possible to log in on SSL VPN with SAML Microsoft Entra ID relying on an internal browser in FortiClient v7.4.x. The issue was observed when the FortiGate was upgraded to v7.0.17, v7.2.11, v7.4.8, v7.4.7, or v7.6.2. SSL VPN debug shows 'error, could not found corresponding saml session 101'. The issue was found when using FortiClient v7.4.x. The FortiClient was stuck on 48 %.

Scope

FortiGate v7.0.17, v7.2.11, v7.4.8, v7.4.7 and v7.6.2, FortiClient v7.4.x.

Solution

Run the SSL VPN debug on FortiGate:

diag debug reset
diag debug disable
diag vpn ssl debug-filter src-addr4 <PC Public IP> <----- Change <PC Public IP> to the PC Public IP.
diag debug console timestamp enable
diag debug app sslvpn -1
Debug messages will be on for 30 minutes.

diag debug enable

Sample Debug Output:

[3734:root:1a8]req: /remote/info
[3734:root:1a8]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[3734:root:1a8]capability flags: 0x3cdf
[3734:root:1a8]req: /remote/saml/login
[3734:root:1a8]Transfer-Encoding n/a
[3734:root:1a8]Content-Length 9453
[3734:root:1a8]readPostEnter:19 Post Data length 9453.
[3734:root:1a8]fsv_rmt_saml_login_cb:100 magic id: magic=1-f3c2fbe7dc77c783
[3734:root:1a8]fsv_rmt_saml_login_cb:127 idx 1 epoch: f3c2fbe7dc77c783
[3734:root:1a8]fsv_rmt_saml_login_cb:131 error, could not found corresponding saml session 101.
[3734:root:1a8]saml login [3734:424] SAML_ERROR: Error occurred during remote login 'could not found corresponding saml session (101)'

Workaround:

Starting from v7.0, using an external browser in FortiClient may yield better results. Enable 'Use the external browser as user-agent for saml user authentication' on FortiClient. The recommended external browser is Edge. Set Edge as the default browser and delete the browser cache before first use. 

Another workaround is to use FortiClient v7.2.x or v7.4.3+.