When using a CSP_REPORT policy with a security profile configured with no SSL inspection, the following error might occur:

The SAML cookies authentication method relies on several factors, including:

• Cookie.
• Referer/Origin header.
• HTML refresh.

Since these elements are not included in the Content Security Policy (CSP) report, FortiSASE has introduced a new firewall policy above the SAML policy to allow SAML authentication.

For the policy to function correctly, a security profile with Deep Packet Inspection (DPI) or certificate inspection is required.

Note: Due to a known issue reported under ID 1146409, a certificate inspection profile is required for the CSP_REPORT proxy policy instead of deep inspection when using Remote Browser Isolation (RBI).

To assign a security profile with the Deep Packet Inspection, follow the steps below: 

1. Create or modify a security profile on FortiSASE ->Security ->Security profiles > select it on the Profile group dropdown. 

2. Enabled Deep inspection on the SSL inspection setting:

3. Assign the security profile to the CSP_REPORT proxypolicy on FortiSASE -> Security -> Proxy Policies >CSP_REPORT -> Edit -> Select the desired profile.

    

Note: When using a security profile with Deep inspection disabled, this policy show an red warning as illustrated below: