Troubleshooting external IdP

The following topic provides possible errors encountered from external IdP and troubleshooting suggestions. Content covered in this topic includes:

• Verifying SAML assertion values with SAML tracer

• FortiCloud errors

• SAML login portal errors

• The option to add an External IdP Role in the FortiCloud IAM portal is missing

• Permission details of an external IdP role display Not Supported for some of the cloud portal permissions even though they are enabled in permission profile

Verifying SAML assertion values with SAML tracer

If there are any SAML-related errors, a SAML tracer plugin may be useful to verify if the required fields are in the SAML assertion.

To use the Chrome SAML-tracer:

1. Install the SAML-tracer chrome extension from Chrome Web Store.

2. Clear your browser cookies or open an incognito browser.

3. Open the SAML tracer from the extensions.

   

4. Begin recoring the login process.

5. Log in with the external IdP and navigate to FortiCloud Services.

6. Click Pause after login process is done.

7. Verify the SAML assertion values:

   1. In the SAML tracer, locate the https://customersso1.fortinet.com/saml-idp/proxy/{REALM}/saml/?acs POST API call.

   2. Check that both the Subject field with the username and the Role attribute are included in the SAML assertion. See POST request from IdP to https://customersso1.fortinet.com and POST request from https://customersso1.fortinet.com to https://support.fortinet.com for more information.

8. If there are errors in the SAML assertion, click Export to export the file and send it to the Fortinet Inc. team. For more information on potential errors, see FortiCloud errors.

The process should be similar for Firefox and other web browsers.

POST request from IdP to https://customersso1.fortinet.com

Under the POST request, after the redirect from external IdP, make sure that there are two attribute statements (Username and Role). Take note of the Role value and make sure there is a corresponding FortiCloud IAM portal external IdP role.

POST request from https://customersso1.fortinet.com to https://support.fortinet.com

After customersso1 redirects to support.fortinet.com, make sure that there are three key attributes:

• idp_name: The realm name assigned during enrollment (https://customersso1.fortinet.com/saml-idp/proxy/{realm name}/saml/?acs)

• idp_user_roles: The external IdP role

• idp_user_id: The username

If errors continue, please provide a screenshot of the error, the IdP information, and SAML tracer logs to Fortinet Inc. team.

FortiCloud errors

After successful login, you will redirect to support.fortinet.com. The landing page is the FortiCare portal.

The following are errors that may be encountered inside FortiCloud Services.

A00U01 error

If there is an A00U01 error shown, this is mostly caused by a missing or incorrectly spelled Role attribute in the SAML assertion. Make sure that Role is set under the attributes section of the IdP configuration.

Role is case sensitive.

To troubleshoot the A00U01 error:

1. Run a SAML tracer. See Verifying SAML assertion values with SAML tracer.

2. In the Summary tab, check if the Role attribute is absent. If it is absent:

   1. Navigate to the SAML settings of your IdP application.

   2. Add the Role information and save the settings.

   3. Log in again to see if the issue has been resolved. If it has not been resolved, contact Fortinet Inc. Support.

A00R03 error

If there is an A00R03 error shown, this is mostly caused by a mismatch in the value of the Role attribute in the SAML assertion to an external IdP role in the FortiCloud IAM portal.

To troubleshoot the A00R03 error:

1. Run a SAML tracer to identify the Role attribute. See Verifying SAML assertion values with SAML tracer.

2. In the FortiCloud IAM portal, check to see if an external IdP role that matches the Role from the SAML tracer exists.

3. If the role is missing, create an external IdP role with the same name as the Role attribute. See Adding external IdP roles.

4. Log in again to see if the issue has been resolved. If it has not been resolved, contact Fortinet Inc. Support.

A01R08 error

If there is an A01R08 error shown, this is mostly caused by the external IdP role (assigned to the user) not having the permissions needed to access the Asset Management portal.

To troubleshoot the A01R08 error:

1. Using the master account, navigate to the IAM portal.

2. Review the permission profile assigned to the external IdP role.

3. If they do not have permissions for the Asset Management portal, select Asset Management in Add Portal.

4. Configure the access level of the role.

5. Log in again as the external IdP role to see if the issue has been resolved. If it has not been resolved, contact Fortinet Inc. Support..

SAML login portal errors

Below are possible errors that may be encountered when an IdP redirects to customersso1.fortinet.com.

invalid_response error

The invalid_response error may occur when:

• The wrong ACS or Entity ID URL is used in the SAML assertion. For example, the incorrect use of http versus https, or vice versa.

• The incorrect attributes are provided in the SAML assertion. For example, since the Role attribute is case sensitive, entering role would result in an error.

• The ACS or Entity ID URL was inputted into the incorrect place while setting up the IdP.

• The certificate configured in the IdP does not match the certificate provided in the IdP Metadata during enrollment. New Metadata would need to be provided to the Fortinet Inc. team.

invalid_binding error

The invalid_binding error may occur when:

• No attributes are provided in the SAML assertion. For example, the Username or Role attribute is missing.

• No account is bound to the external IdP. Contact the Fortinet Inc. team.

• The ACS URL is called with POST binding but there is no SAML response. The ACS URL generally accepts only HTTP-POST binding.

• The ACS URL is used as the login URL instead of the portal URL.

The option to add an External IdP Role in the FortiCloud IAM portal is missing

After successfully logging into FortiCloud Services, in order to add external IdP roles in the IAM portal, the user account and account ID should be provided to the Fortinet Inc. team in the Enrollment Form during setup. See Enrolling for external IdP.

If there is no External IDP Role option under Add New in the IAM portal Users page, make sure the correct account ID and username was provided to the Fortinet Inc. team. If more FortiCloud users are required to have this permission, please send the list of account IDs and username to Fortinet Inc. team.

The account ID and username can be found when the user is logged into FortiCloud Services and clicks in the top right corner. The dropdown should show a six or seven digit number, which is the account ID.

After the user is given access to external IdP feature, there will be an External IDP Role option under Add New in the IAM portal Users page. See Adding external IdP roles.

Permission details of an external IdP role display Not Supported for some of the cloud portal permissions even though they are enabled in permission profile

The permission profile is a generic set of permissions that can be used for IAM users, API users, and external IDP roles. The permission details card is marked as Not Supported if the Cloud service does not support external IDP role permissions.