The detailed information is: You are not allowed to access this resource because the SAML request from your service provider (https://192.168.199.60:10443) has expired. Please try to access your service provider page again.
Solved! Go to Solution.
This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)
Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.
Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.
Hi,
Can you share the SAML config and on the FAC side also
FGT:
config user saml
edit "fac-firewall"
set entity-id "http://192.168.199.60:10443/remote/saml/metadata/"
set single-sign-on-url "https://192.168.199.60:10443/remote/saml/login/"
set single-logout-url "https://192.168.199.60:10443/remote/saml/logout/"
set idp-entity-id "http://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/"
set idp-single-sign-on-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/"
set idp-single-logout-url "https://192.168.199.63/saml-idp/9xis00wasv70xh4r/logout/"
set idp-cert "REMOTE_Cert_2"
set user-name "username"
set group-name "group"
set digest-method sha1
next
end
Hello, this is the output content of the debugging command
FGT1 # diagnose debug application sslvpn -1
Debug messages will be on for 22 minutes.
FGT1 # diagnose debug application samld -1
FGT1 # diagnose debug enable
FGT1 # [3187:root:9d]allocSSLConn:310 sconn 0x7efd9ba54800 (0:root)
[3187:root:9d]SSL state:before SSL initialization (192.168.199.1)
[3187:root:9d]SSL state:before SSL initialization (192.168.199.1)
[3187:root:9d]no SNI received
[3187:root:9d]client cert requirement: no
[3187:root:9d]SSL state:SSLv3/TLS read client hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write server hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write change cipher spec (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]no SNI received
[3187:root:9d]client cert requirement: no
[3187:root:9d]SSL state:SSLv3/TLS read client hello (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write server hello (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 write encrypted extensions (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write certificate (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 write server certificate verify (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write finished (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data:(null)(192.168.199.1)
[3187:root:9d]SSL state:TLSv1.3 early data (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS read finished (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write session ticket (192.168.199.1)
[3187:root:9d]SSL state:SSLv3/TLS write session ticket (192.168.199.1)
[3187:root:9d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[3187:root:9d]req: /remote/saml/start
[3187:root:9d]rmt_web_auth_info_parser_common:505 no session id in auth info
[3187:root:9d]rmt_web_get_access_cache:854 invalid cache, ret=4103
[3187:root:9d]sslvpn_auth_check_usrgroup:2997 forming user/group list from policy.
[3187:root:9d]sslvpn_auth_check_usrgroup:3043 got user (0) group (2:0).
[3187:root:9d]sslvpn_validate_user_group_list:1905 validating with SSL VPN authentication rules (2), realm ((null)).
[3187:root:9d]sslvpn_validate_user_group_list:1991 checking rule 1 cipher.
[3187:root:9d]sslvpn_validate_user_group_list:1999 checking rule 1 realm.
[3187:root:9d]sslvpn_validate_user_group_list:2010 checking rule 1 source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2049 checking rule 1 vd source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2540 rule 1 done, got user (0:0) group (1:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:1991 checking rule 2 cipher.
[3187:root:9d]sslvpn_validate_user_group_list:1999 checking rule 2 realm.
[3187:root:9d]sslvpn_validate_user_group_list:2010 checking rule 2 source intf.
[3187:root:9d]sslvpn_validate_user_group_list:2540 rule 2 done, got user (0:0) group (2:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:2548 got user (0:0) group (2:0) peer group (0).
[3187:root:9d]sslvpn_validate_user_group_list:2895 got user (0:0), group (2:0) peer group (0).
[3187:root:9d]sslvpn_update_user_group_list:1804 got user (0:0), group (2:0), peer group (0) after update.
[3187:root:9d][fsv_found_saml_server_name_from_auth_lst:126] Found SAML server [fac-firewall] in group [saml_sslvpn]
samld_process_request [145]: len=424, cmd=0, pid=3187, job_id=157
samld_process_request [162]: Received 424, 0xd63290
__samld_sp_create_auth_req [429]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
__samld_sp_create_auth_req [449]:
**** AuthnRequest URL ****
https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...
***********************
__samld_sp_create_auth_req [463]:
**** AuthnRequest ****
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest>
***********************
__samld_sp_create_auth_req [468]:
**** SP Login Dump ****
<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/</lasso:RemoteProviderID><lasso:MsgUrl>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...</lasso:MsgUrl><lasso:MsgRelayState>magic=c8b43af9fee56022</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_3FE88E8B4BACC1FFEEEA28B0A22F7B4A</lasso:RequestID></lasso:Login>
***********************
samld_send_common_reply [91]: Code: 0, id: 157, pid: 3187, len: 3383, data_len 3367
samld_send_common_reply [99]: Attr: 14, 2265, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_3FE88E8B4BACC1FFEEEA28B0A22F7B4A" Version="2.0" IssueInstant="2024-12-06T08:55:52Z" Destination="https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://192.168.199.60:10443/remote/saml/login/"><saml:Issuer>https://192.168.199.60:10443/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/metadata/</lasso:RemoteProviderID><lasso:MsgUrl>https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...</lasso:MsgUrl><lasso:MsgRelayState>magic=c8b43af9fee56022</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_3FE88E8B4BACC1FFEEEA28B0A22F7B4A</lasso:RequestID></lasso:Login>
samld_send_common_reply [99]: Attr: 11, 1102, https://192.168.199.63/saml-idp/9xis00wasv70xh4r/login/?SAMLRequest=jZJBb%2BIwEIX%2FSuR7YicECBYgJZBo...
samld_send_common_reply [119]: Sent resp: 3383, pid=3187, job_id=157.
This can be intentionally reproduced if you set your FortiGate's system time into the past by enough time. (I tried it with a few hours back)
Double-check that your time is in sync with some NTP server, and the correct timezone is set, on BOTH your FortiGate and the FortiAuthenticator.
Why does it matter? The AuthnRequest generated by SAML SP (=FortiGate) includes an IssueInstant field, which signals when the request was generated by the SP. The IdP (=FortiAuthenticator) can validate this and discard requests that are considered too old.
Thank you for your answer. It is indeed due to time synchronization, and now there is a new phenomenon. Forticlient connection has been stuck at 40% and there is no window asking if you want to continue using untrusted TLS/SSL certificates
I would suggest gathering sslvpn + saml debug outputs (same as you did already), for this new situation. That could clarify where things get stuck.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.