| Description | This article covers a sporadic issue where SAML authentication between FortiEDR Manager (SP) and Microsoft's Azure (IdP) can fail. |
| Scope | FortiEDR and SAML authentication. |
| Solution |
In cases where FortiEDR Manager is configured for SAML authentication where Azure is acting as the identity provider, there may be cases where SAML authentications sporadically fail. This results in an 'error with organization' message being displayed on the FortiEDR Manager login page. This can be a result of a SAML skew time. This is effectively a protection mechanism in FortiEDR Manager to ensure the SAML assertion is not ‘old’.
This can be validated through two options:
1) The FortiEDR Manager logs will record this and log the following:
2022-06-01 18:10:12.807 INFO 26500 [https-jsse-nio-443-exec-165] --- o.s.security.saml.log.SAMLDefaultLogger : AuthNResponse;FAILURE;ip-address;https://environment/saml/metadata/alias/1;https://sts.windows.net/<assertion-id>/;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
This option only exists for dedicated hosted and on-premise customers. FortiEDR TAC will be able to assist with this troubleshooting step in all cases.
2) Using the ‘SAML Tracer’ web browser plugin. This is a popular browser extension available on Chrome and Firefox which allows a user to trace and log their SAML assertion requests and responses. To run a SAML Tracer capture, install the extension and open it. This will open in a small window. Reproduce the problem by signing into the FortiEDR Manager. Data populated in SAML Tracer can be seen now. The 'SAML' tab is most important here. The 'Export' option can be choosen to export the SAML Tracer capture to review and to provide to FortiEDR TAC.
There are three values in the SAML assertion response JSON file to identify:
2a) The ‘IssueInstant’ time (i.e. 'IssueInstant='2022-06-01T18:10:12.354Z'). This is the time the SAML authentication requests occurred.
2b) The subject conditions ('NotBefore' and 'NotAfter'). The 'IssueInstant' value must fall within these condition ranges.
2c) The AuthnInstant (i.e. 'AuthnInstant='2022-06-01T22:59:07.552Z'). If this value is more than 3,600 seconds (1 hour) apart from the ‘IssueInstant’ value, the FortiEDR Manager will detect the skew and reject authentication.
FortiEDR TAC can increase this SAML skew parameter upon request through a support ticket.
Microsoft Azure uses a Primary Refresh Token (PTR) which is refreshed based on a preconfigured interval within Azure. In some cases, this can be several hours if not days, causing the SAML authentication request to fail. Manually signing out of Azure and back in often forces this token to be refreshed, allowing SAML authentication to work again. |
