Created on 06-29-2023 12:39 AM Edited on 10-23-2023 12:20 AM By Jean-Philippe_P
Description |
This article provides a solution to the SAML auth error 'Access denied' shown to the end user by the SP/firewall.
|
Scope | FortiGate v6.X v7.X. |
Solution |
Run the following debug on the firewall whilst the end user is authenticating:
diag debug console timestamp enable diag debug reset
Depending on the setup, another command set might be helpful. For example, if this is for SSL VPN, add diag debug app sslvpn -1 to the command set. If this message is seen in the SAML debug from FortiGate CLI:
2023-06-22 07:01:30 [15478:root:57][fsv_found_saml_server_name_from_auth_lst:123] Found SAML server [azure.ad.sso] in group [test1]
Check the SAML configuration on the FortiGate. This is usually caused by incorrect 'config user saml' parameters like 'set single-sign-on-url'.
config user saml
'set single-sign-on-url' is incorrect in this example, it must be https://fgt.local:8443/remote/saml/login Troubleshooting Tip: Common problems and causes when using SAML with SSL VPN Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.