Description
This article describes how to troubleshoot the FortiSASE SAML error '400 Bad Request.'.
Scope
FortiSASE.
Solution
When the admin configured the FotiSASE with SAML SP configuration and selected 'Start test' to check if SAML authentication works, the admin may have encountered the following error.
Steps to Validate:
- Check SAML settings for any misconfigured Base URL, Entity ID, Assertion Consumer Service (ACS) URL, and Single Logout URL in FortiSASE. Ensure they match with the Identity Provider (IdP).
- Ensure that the certificate used for SAML authentication is correctly uploaded and matches between FortiSASE and IdP.
- If the above steps are configured correctly, check if there is any clock skew issue. If there is a significant time difference between the FortiSASE server and the IdP, authentication might fail. Sync time settings on both sides.
- Clear cookies and cache, or try using a different browser; simultaneously collect the SAML debugging tool to capture and inspect the SAML request.
- Scenarios where FortiAuthenticator is configured as IDP. Navigate to Certificate Management -> End Entities -> Local Services. Select Default-Server-Certificate and verify that is same certificate is called in the FortiSASE portal.
Note:
The Start Test option under Configuration > VPN User SSO is available only in FortiSASE instances with SSL VPN enabled for remote user connection. 'Test SSO Configuration' feature is hidden for accounts with IPSec enabled
