FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff

Description

 

This article describes how to troubleshoot SAML SSO logon errors with FortiManager/FortiAnalyzer in SP role.

 

Scope

 

FortiManager and FortiAnalyzer.

 

Solution

 

After the user is authenticated by the IdP FortiManager/FortiAnalyzer GUI can return different errors if something in the assertion is incorrect or unexpected. 

Those errors are typically displayed as a pink banner at the top of a blank page and the message gives a fairly clear description of the problem (with one exception).

 

Below are some of the common errors and their possible causes.

 

 

Web Server Error 500 (no pink banner in this case):

 

iyotov_5-1641825389146.png

 

Possible causes:

1) Missing <Name ID> claim in the IdP assertion.

 

2) Invalid FQDN in the SP URLs. For example, a hostname is used instead of FQDN in the SP Address(Server Address) configuration of FortiManager/FortiAnalyzer SAML SSO configuration.

 

3) An unsupported attribute name/value format in the <Attribute Statement> of the IdP may also trigger this error. Where possible, try to remove all unnecessary default claims/attributes from the IdP response. 

In versions 6 and up to 7.0, only 'username' is parsed.
After 7.2.1, also 'profilename' and 'adoms' were added for ADOM and Admin Profile Override.

 

invalid_response: There is no AttributeStatement on the Response

 

iyotov_6-1641825826909.png

 

Possible causes:

<AttributeStatement>  is completely missing from the IdP response.

Happens usually if the IdP has no default attributes (i.e. ADFS) or all attributes were removed by mistake.

 

The SAML Response is missing the assertion attribute 'username'

 

iyotov_7-1641826254723.png

 

Possible Causes:

'username' attribute is not configured in the custom claims/attributes on IdP side.

This attribute is mandatory for the FortiManager/FortiAnalyzer SAML implementation.

The value of 'username' should also match the value of 'Name ID'.

 

Admin 'xxxxx' does not exist.

 

iyotov_0-1641834884937.png

 

Possible Causes:

'Auto Create Admin' is disabled in the FortiManager/FortiAnalyzer SAML SSO configuration and the <username> value in the <Attribute Statement> is not matching a local user.

 

Failed to create SSO admin.

 

iyotov_1-1641835205830.png

 

Possible Causes:

'Auto Create Admin' is enabled in the FortiManager/FortiAnalyzer SAML SSO configuration, but the <username> value in the <Attribute Statement> contains unsupported characters. For example, external Azure AD account containing a '#' sign.

 

invalid_response: Invalid issuer in the Assertion/Response (expected aaa, got bbb).

 

iyotov_0-1641837152349.png

 

Possible Causes:

Misconfigured 'IdP Entity ID' URL in the FortiManager/FortiAnalyzer configuration.

 

SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding.

 

iyotov_1-1641837408623.png

 

Possible Causes:

Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration or misconfigured logout endpoint binding on IdP side relying party (application) settings.

 

invalid_logout_request_signature, Signature validation failed. Logout Request rejected: Signature validation failed. SAMLRequest rejected.

 

iyotov_2-1641837699672.png

 

Possible Causes:

Misconfigured 'IdP Logout URL' in the FortiManager/FortiAnalyzer configuration, maybe pointing to an IdP endpoint requiring signed logout requests.

 

invalid_response: Signature validation failed. SAML Response rejected.

 

iyotov_3-1641838147334.png

 

Possible Causes:

The IdP response signature is not matching the IdP certificate selected in FortiManager/FortiAnalyzer. Usually caused by an incorrect certificate imported/selected in the SAML SSO config.

 

invalid_response: No Signature found. SAML Response rejected.

 

iyotov_0-1641839254642.png

 

Possible Causes:

<SignatureValue> missing from the IdP /response. IdP side misconfiguration prevents it from signing the response.

 

There might be other errors, not covered by this article.

 

The assertion might need to be analyzed in order to verify the errors and/or troubleshoot further.

The easiest way to capture the SAML request/response is by using an extension/plugin, installed in the user's browser.

Below are two simple to use Chrome extensions, which add a SAML tab to the Chrome Dev Tools (F12).

 

1) 'SAML DevTools' shows by default all HTTP messages, but can be manually switched to show SAML only:

https://chrome.google.com/webstore/detail/saml-devtools-extension/jndllhgbinhiiddokbeoeepbppdnhhio 

 

iyotov_0-1641895977647.png

 

 

2) 'SAML Chrome Panel' has the SAML filters enabled by default, which makes it more convenient in some cases. It also allows exporting the data as a JSON file, which can be then imported and analyzed on another computer having Chrome-based browser with the same extension:
https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace 

 

iyotov_1-1641896015679.png

 

 

There are many similar tools for other browsers as well. Regardless of which one is used, the important part is to see if FortiManager/FortiAnalyzer is sending the correct SP AuthnRequest and to verify if the IdP Response/Assertion contains the correct URLs, signatures and attributes.


When creating Technical Support tickets for SAML issues with FortiManager/FortiAnalyzer, make sure to provide the following:

- Clear issue description, including the error message and/or a screenshot of the issue

- Output from the FortiManager/FortiAnalyzer CLI command > #   get system saml

- Copy of the SP Request and the IdP Response/Assertion from the browser extension.

Contributors