Technical Tip: Fix SAML access denied error, failed to create SP

kiri · ‎06-29-2023

Description

This article provides a solution to the SAML auth error 'Access denied' shown to the end user by the SP/firewall.
Depending on the firmware version, the displayed error might be slightly different.

error access.png

Scope

FortiGate v6.X v7.X.

Solution

Run the following debug on the firewall whilst the end user is authenticating:

diag debug console timestamp enable

diag debug reset
diag debug app saml -1
diag debug enable

Depending on the setup, another command set might be helpful.

For example, if this is for SSL VPN, add diag debug app sslvpn -1 to the command set. If this message is seen in the SAML debug from FortiGate CLI:

2023-06-22 07:01:30 [15478:root:57][fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure.ad.sso] in group [test1]
gen_sp_server [325]: Failed to create SP

Check the SAML configuration on the FortiGate. This is usually caused by incorrect 'config user saml' parameters like 'set single-sign-on-url'.

config user saml
edit "azure.ad.sso"
set entity-id "https://fgt.local:8443/remote/saml/metadata"
set single-sign-on-url "https://fgt.local:8443/remote/loginlang=en"
set single-logout-url "https://fgt.local:8443/remote/saml/logout"

'set single-sign-on-url' is incorrect in this example, it must be https://fgt.local:8443/remote/saml/login
Make sure the URLs are correct and the same on both sides, SP and IdP. They are usually copiable and pasteable on both SP and IdP.

Related articles:

Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN

Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication