The following solution applies to SSL VPN only. However, starting in FortiSASE 24.4.b.1, IPsec VPN remote user support is enabled by default on new instances. More information can be found here.

Technique 1: When a SAML issue occurs, utilize FortiSASE's built-in SSO test to determine where errors occur.

1. Navigate to Configuration -> VPN User SSO and select the Start Test button.
   
   
2. Review the Test Results. Green checks indicate that the step in the SSO process was successful.

Note that even if the test results show a step as successful, misconfigurations could still lead to undesired behavior. Carefully observing the Request and Response details may reveal the root cause in these cases.

Technique 2: Troubleshoot SAML from an endpoint's web browser.

Note that the instructions below only apply to customers with FortiSASE instances that DO NOT have dedicated IP addresses. The portal URL will not display in a web browser for customers with dedicated IP addresses.

Note also that the instructions below depend on the test endpoint having a web browser extension that records the SAML flow installed in the browser they will use for testing. The extension used in this article is a Chrome extension called 'SAML-tracer'.

1. Navigate to Configuration -> VPN User SSO, copy the Portal (Sign On) URL, and paste it into a web browser.

2. Once the portal login page displays, select 'Single Sign-On' to trigger a SAML SSO login flow from the endpoint.

   
    

3. The configured IdP login page will open as shown below (in this example, FortiAuthenticator as the IdP is used). With the SAML-tracer browser extension enabled, go through the process of authentication.

              

    

    

4. The SAML-tracer browser extension will record the SAML authentication flow. Carefully observing the Request and Response details may reveal the root cause of SAML issues.

   
   

Related documents:

SAML with Entra ID 

Testing SSO configuration from FortiSASE with Entra ID