Technical Tip: SAML Authentication, the user cannot connect on the first attempt

kumarh · ‎03-28-2024

Description

This article describes that when the user authenticates via SAML, the user cannot connect with the VPN on the first attempt. They are getting timeout error:

__samld_sp_create_auth_req [468]:

**** SP Login Dump ****

<lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_EEC555DE627F664C7E735651AFBFB850" Version="2.0" IssueInstant="2024-03-22T16:20:49Z" Destination="https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://calianatredlan.calian.com/remote/saml/login"><saml:Issuer>https://calianatredlan.calian.com/remote/saml/metadata/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/23b57807-562f-49ad-92c4-3bb0f07a1fdf/</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/23b57807-562f-49ad-92c4

***********************

samld_send_common_reply [91]: Code: 0, id: 4763, pid: 16379, len: 2576, data_len 2560

samld_send_common_reply [99]: Attr: 14, 1874, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_EEC555DE627F664C7E735651AFBFB850" Version="2.0" IssueInstant="2024-03-22T16:20:49Z" Destination="https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://calianatredlan.calian.com/remote/saml/login"><saml:Issuer>https://calianatredlan.calian.com/remote/saml/metadata/</samlsamld_send_common_reply [99]: Attr: 11, 686, https://login.microsoftonline.com/23b57807-562f-49ad-92c4-3bb0f07a1fdf/saml2?SAMLRequest=lZJJb9swEIX%2FisC7NlpLTNgGvKIG0kaInRx6KWhqlBDg4nKotP33oaWkTQ8JkOMM3xvO9zAz5Fqd2bL3j%2BYWfvaAPvqtlUE2PMxJ7wyzHCUywzUg84Idll%2BvGU0ydnbWW2EVeWP52MERwXlpDYn2mzn5sd2uy7LcbCta76qqWNfbelJWZb7crXarqzIj0T04Dsamld_send_common_reply [119]: Sent resp: 2576, pid=16379, job_id=4763.2024-03-22 10:21:13 [16379:root:129b]Timeout for connection 0x7f7655560000.

Scope

FortiGate.

Solution

FortiGate has a default authentication timeout of 5 seconds. It waits 5 seconds for a remote server (SAML) to respond before timing out the authentication attempt.
When the user first tries to connect to the VPN, the user gets redirected to SAML, enters the credentials, and authenticates; in the meantime FortiGate already times out redirect back to VPN setup fails.
The SAML server considers the user already authenticated.
When the user connects the second time, gets redirected to SAML again
SAML server still remembers that user and authentication from the first VPN connection attempt, and immediately allows the user. It gets redirected back to the VPN with no input required, still within the 5s timeout window.

If increasing the remoteauthtimeout from 30 -120 seconds and clearing the cookies from the connecting machine, this setting would force the FortiGate to wait 120 seconds before timing out the authentication request; this should provide time for the user to be redirected to the SAML provider, input the credentials, and be redirected back to VPN.

For example:

config system global
set remoteauthtimeout 120
end

This setting would force the FortiGate to wait 120 seconds before timing out the authentication request; this should provide time for the user to be redirected to the SAML provider, input the credentials, and be redirected back to the VPN.