Description |
This article describes possible reasons for user disconnection while using SAML SSO Authentication. |
Scope | FortiGate. |
Solution |
Issue: Check the server certificate being used in SAML:
config user saml edit "saml-user" set cert "CA_SIGNED_OLD_CERT" <- Old certificate being used set entity-id " https://10.10.10.1:8443/remote/saml/metadata/" set single-sign-on-url "https://10.10.10.1:8443/remote/saml/login/" set single-logout-url " https://10.10.10.1:8443/remote/saml/logout/" set idp-entity-id " https://10.10.10.1:8443/saml-idp/101087/metadata/" set idp-single-sign-on-url "https:// https://10.10.10.1:8443/saml-idp/101087/login/" set idp-single-logout-url " https://10.10.10.1:8443/saml-idp/101087/logout/" set idp-cert "REMOTE_Cert_1" next end Check the VPN SSL VPN server certificate:
config vpn ssl settings set servercert "NEW_CA_SIGNED_CERT" <- New certificate being used set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" config authentication-rule edit 1 set groups "SSLVPN_Users" set portal "full-access" next end end
Solution:
Make sure that both SAML configuration and SSL VPN are using the same certificates. In this example, the SAML certificate was updated to use the new certificate: config user saml edit "saml-user" set cert " NEW_CA_SIGNED_CERT " <- The SAML configuration was modified to the new certificate. end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.