Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiAuthenticator 4.1 and SAML



We are very interested in using the SAML portal.

We want to couple it with our Microsoft ADFS infrastructure.


Are there more documentation/debug logs?

On our ADFS Forms based authentication was disabled which resulted in the following error in the eventviewer:


Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.

The FortiAuthenticator defines in the SAML request which auth method it wants:

<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>


If you do not have Forms based authentication active on your ADFS you get an error.

We would like to use Windows Integrated Authentication on ADFS so users dont have to enter credentials and it is seemless to them.

Is it possible to remove the RequestedAuthnContext?


I know get a webpage to enter my credentials. Authentication succeeds but I get an error on the FortiAuthenticator.

SAML Login portal

  • invalid_response[/ul] Not authenticated   Where can I get more debug/log information about this error?   Is there more information available about the 'List of IDP groups' on the SAML configuration page? Which attributes does the FortiAuth expect from the IDP? Is it possible to do the group membership queries by the FortiAuth via LDAP based on the username attribute returned from the IDP?   regards       regards
  • 2 REPLIES 2

    You are seeing what we also saw during our testing of ADFS.  There are many different versions and patch levels of ADFS and bewildering array of schemas so obtaining a valid assertion it tricky.


    To debug we will require more details about your set up e.g. OS version, ADFS version,  and if possible a copy of the SAML request/response.  Please open a Support ticket and we will look into this.


    >Is it possible to remove the RequestedAuthnContext?

    Will replicate and discuss with developers.


    Dr. Carl Windsor Field Chief Technology Officer Fortinet


    Ok will do thx!

    I will reference to this post.

    Top Kudoed Authors