Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nplljw
New Contributor II

Created on ‎12-05-2024 11:40 PM

When Fortigate integrates with FortiAuthenticator for Sam, FortiClient reports an error SAML Request

The detailed information is: You are not allowed to access this resource because the SAML request from your service provider (https://192.168.199.60:10443) has expired. Please try to access your service provider page again.

334
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎12-06-2024 01:08 AM Edited on ‎12-06-2024 01:11 AM

This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)

 

Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.

 

Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.

[ corrections always welcome ]

View solution in original post

291
6 REPLIES 6
sjoshi
Staff
Staff

Created on ‎12-06-2024 12:34 AM

Hi,

 

Can you share the SAML config and on the FAC side also

Let us know if this helps.
Salon Raj Joshi
324
nplljw
New Contributor II
In response to sjoshi

Created on ‎12-06-2024 12:43 AM

FGT:

config user saml
edit "fac-firewall"
set entity-id "http://192.168.199.60:10443/remote/saml/metadata/"
set single-sign-on-url "https://192.168.199.60:10443/remote/saml/login/"
set single-logout-url "https://192.168.199.60:10443/remote/saml/logout/"
set idp-entity-id "http://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/"
set idp-single-sign-on-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/"
set idp-single-logout-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/logout/"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end

 

General configuration.pngService Providers configuration.pngService Providers configuration2.png

315
nplljw
New Contributor II
In response to sjoshi

Created on ‎12-06-2024 12:56 AM

Hello, this is the output content of the debugging command

forticlient.png

FGT1 # diagnose debug application sslvpn -1
Debug messages will be on for 22 minutes.

FGT1 # diagnose debug application samld -1

FGT1 # diagnose debug enable

FGT1 # [3187:root:9d]allocSSLConn:310 sconn 0x7efd9ba54800 (0:root)
[3187:root:9d]SSL state:before SSL initialization (192.168.199.1)
[3187:root:9d]SSL state:before SSL initialization (192.168.199.1)
[3187:root:9d]no SNI received
[3187:root:9d]client cert requirement: no
[3187:root:9d]SSL state:SSLv3/TLS read client hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write server hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write change cipher spec (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]no SNI received
[3187:root:9d]client cert requirement: no
[3187:root:9d]SSL state:SSLv3/TLS read client hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write server hello (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 write encrypted extensions (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write certificate (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 write server certificate verify (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write finished (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data:(null)(192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS read finished (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write session ticket (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write session ticket (192.168.199.1)
[3187:root:9d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3187:root:9d]req: /remote/saml/start
[3187:root:9d]rmt_web_auth_info_parser_common:505 no session id in auth info
[3187:root:9d]rmt_web_get_access_cache:854 invalid cache, ret=4103
[3187:root:9d]sslvpn_auth_check_usrgroup:2997 forming user/group list from policy.
[3187:root:9d]sslvpn_auth_check_usrgroup:3043 got user (0) group (2:0).
[3187:root:9d]sslvpn_validate_user_group_list:1905 validating with SSL VPN authentication rules (2), realm ((null)).
[3187:root:9d]sslvpn_validate_user_group_list:1991 checking rule 1 cipher.
[3187:root:9d]sslvpn_validate_user_group_list:1999 checking rule 1 realm.
[3187:root:9d]sslvpn_validate_user_group_list:2010 checking rule 1 source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2049 checking rule 1 vd source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2540 rule 1 done, got user (0:0) group (1:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:1991 checking rule 2 cipher.
[3187:root:9d]sslvpn_validate_user_group_list:1999 checking rule 2 realm.
[3187:root:9d]sslvpn_validate_user_group_list:2010 checking rule 2 source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2540 rule 2 done, got user (0:0) group (2:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:2548 got user (0:0) group (2:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:2895 got user (0:0), group (2:0) peer group (0).
[3187:root:9d]sslvpn_update_user_group_list:1804 got user (0:0), group (2:0), peer group (0) after update.
[3187:root:9d][fsv_found_saml_server_name_from_auth_lst:126] Found SAML server [fac-firewall] in group [saml_sslvpn]
samld_process_request [145]: len=424, cmd=0, pid=3187, job_id=157
samld_process_request [162]: Received 424, 0xd63290
__samld_sp_create_auth_req [429]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

__samld_sp_create_auth_req [449]:
**** AuthnRequest URL ****
https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...
***********************
__samld_sp_create_auth_req [463]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
***********************
__samld_sp_create_auth_req [468]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/</lasso:RemoteProviderID><lasso:MsgUrl>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...</lasso:MsgUrl><lasso:MsgRelayState>magic=c8b43af9fee56022</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_3FE88E8B4BACC1FFEEEA28B0A22F7B4A</lasso:RequestID></lasso:Login>
***********************
samld_send_common_reply [91]: Code: 0, id: 157, pid: 3187, len: 3383, data_len 3367
samld_send_common_reply [99]: Attr: 14, 2265, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/</lasso:RemoteProviderID><lasso:MsgUrl>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...</lasso:MsgUrl><lasso:MsgRelayState>magic=c8b43af9fee56022</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_3FE88E8B4BACC1FFEEEA28B0A22F7B4A</lasso:RequestID></lasso:Login>
samld_send_common_reply [99]: Attr: 11, 1102, https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...
samld_send_common_reply [119]: Sent resp: 3383, pid=3187, job_id=157.

296
0 Kudos
pminarik
Staff
Staff

Created on ‎12-06-2024 01:08 AM Edited on ‎12-06-2024 01:11 AM

This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)

 

Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.

 

Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.

[ corrections always welcome ]
292
nplljw
New Contributor II
In response to pminarik

Created on ‎12-06-2024 01:20 AM

Thank you for your answer. It is indeed due to time synchronization, and now there is a new phenomenon. Forticlient connection has been stuck at 40% and there is no window asking if you want to continue using untrusted TLS/SSL certificates

282
0 Kudos
pminarik
Staff
Staff
In response to nplljw

Created on ‎12-06-2024 04:37 AM

I would suggest gathering sslvpn + saml debug outputs (same as you did already), for this new situation. That could clarify where things get stuck.

[ corrections always welcome ]
207
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.