Troubleshooting Tip: Possible reasons for SAML SSL VPN disconnections

Issue:

Check the server certificate being used in SAML:

config user saml

edit "saml-user"

set cert "CA_SIGNED_OLD_CERT" <- Old certificate being used

set entity-id " https://10.10.10.1:8443/remote/saml/metadata/"

set single-sign-on-url "https://10.10.10.1:8443/remote/saml/login/"

set single-logout-url " https://10.10.10.1:8443/remote/saml/logout/"

set idp-entity-id " https://10.10.10.1:8443/saml-idp/101087/metadata/"

set idp-single-sign-on-url "https:// https://10.10.10.1:8443/saml-idp/101087/login/"

set idp-single-logout-url " https://10.10.10.1:8443/saml-idp/101087/logout/"

set idp-cert "REMOTE_Cert_1"

next

end

Check the VPN SSL VPN server certificate:

config vpn ssl settings

set servercert "NEW_CA_SIGNED_CERT" <- New certificate being used

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

config authentication-rule

edit 1

set groups "SSLVPN_Users"

set portal "full-access"

next

end

end

Solution:

Make sure that both SAML configuration and SSL VPN are using the same certificates. In this example, the SAML certificate was updated to use the new certificate:

config user saml

edit "saml-user"

set cert " NEW_CA_SIGNED_CERT " <- The SAML configuration was modified to the new certificate.

end