Description
This article describes how to troubleshoot SAML login fail with invalid response.
Solution
1) FortiManager/FortiAnalyzer GUI may return the following error after SAML user authentication.
invalid_response: Could not validate timestamp: not yet valid. Check system clock.
2) Verify the ntp status.
FMG01 # diagnose system ntp status
MS Name/IP address Stratum Poll Reach LastRx Last sample
===================================================================
^* 208.91.112.63 2 10 377 412 -50us[ +61us] +/- 101ms
3) If no NTP server information, verify the NTP server and DNS server connectivity.
FMG01 # diag system ntp status
No information for NTP server
4) Verify the system time.
FMG01 # execute time
current time is: 10:14:11
FMG01 # execute date
current date is: 05/16/2022
5) Manually modify the date / time if require.
FMG01 # execute time 11:14:11
FMG01 # execute date 05/17/2022
6) If issue persists, gather a SAML trace and contact Fortinet TAC.
Related link:
Techinical Tip: SAML SSO - FortiManager/FortiAnalyzer Troubleshooting Options
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.