Description |
This article describes that when the user authenticates via SAML, the user cannot connect with the VPN on the first attempt. They are getting timeout error:
**** SP Login Dump **** <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_EEC555DE627F664C7E735651AFBFB850" Version="2.0" IssueInstant="2024-03-22T16:20:49Z" Destination="https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://calianatredlan.calian.com/remote/saml/login"><saml:Issuer>https://calianatredlan.calian.com/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/23b57807-562f-49ad-92c4-3bb0f07a1fdf/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/23b57807-562f-49ad-92c4 *********************** samld_send_common_reply [91]: Code: 0, id: 4763, pid: 16379, len: 2576, data_len 2560 samld_send_common_reply [99]: Attr: 14, 1874, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_EEC555DE627F664C7E735651AFBFB850" Version="2.0" IssueInstant="2024-03-22T16:20:49Z" Destination="https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://calianatredlan.calian.com/remote/saml/login"><saml:Issuer>https://calianatredlan.calian.com/remote/saml/metadata/</samlsamld_send_common_reply [99]: Attr: 11, 686, https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2?SAMLRequest=lZJJb9swEIX%2FisC7NlpLTNgGvKIG0kaInRx6KWhqlBDg4nKotP33oaWkTQ8JkOMM3xvO9zAz5Fqd2bL3j%2BYWfvaAPvqtlUE2PMxJ7wyzHCUywzUg84Idll%2BvGU0ydnbWW2EVeWP52MERwXlpDYn2mzn5sd2uy7LcbCta76qqWNfbelJWZb7crXarqzIj0T04Dsamld_send_common_reply [119]: Sent resp: 2576, pid=16379, job_id=4763.2024-03-22 10:21:13 [16379:root:129b]Timeout for connection 0x7f7655560000. |
Scope | FortiGate. |
Solution |
If increasing the remoteauthtimeout from 30 -120 seconds and clearing the cookies from the connecting machine, this setting would force the FortiGate to wait 120 seconds before timing out the authentication request; this should provide time for the user to be redirected to the SAML provider, input the credentials, and be redirected back to VPN. For example:
This setting would force the FortiGate to wait 120 seconds before timing out the authentication request; this should provide time for the user to be redirected to the SAML provider, input the credentials, and be redirected back to the VPN. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.