# | Error / Symptom | Brief context/cause | Refer to |
1 | 'Signature validation failed. SAML Response rejected'. | Certificate mismatch when FortiAuthenticator is acting as IdP proxy and an external IdP (e.g., Azure) provides the upstream signature. Resolution: import the correct IdP signing certificate. | Technical tip: How to fix 'Signature validation failed. SAML Response rejected' error |
2 | 'No group info in SAML response'. | FortiAuthenticator IdP not sending group attribute in SAML assertion despite group attribute mapping appearing correct. The article covers attribute name, group filter, and assertion configuration steps on the FortiAuthenticator side. | Troubleshooting Tip: Potential solutions to 'No group info in SAML response' |
3 | Cannot change the SAML IdP listening port from 443. | FortiAuthenticator's web server only listens on TCP/443 for SAML IdP. Even if the GUI accepts a different value, it has no effect. The article documents this design limitation. | Technical Tip: FortiAuthenticator SAML IDP default port change |
4 | SAML login page stuck in a loop (Captive Portal scenario). | Wireless users trying to access the Captive Portal with SAML authentication get stuck in a redirect loop after the SAML login process. The article covers troubleshooting steps and the resolution path. | Troubleshooting Tip: How to troubleshoot if SAML login page is stuck in a loop |
5 | IdP certificate expiring or expired - SAML authentication breaking. | Step-by-step procedure to renew the IdP signing certificate on FortiAuthenticator, update the SAML server configuration on FortiGate, and validate the new chain. Critical for production deployments. | Technical Tip: Updating and validating SAML certificates on FortiAuthenticator as IDP and FortiGate as SP |
6 | '403 Forbidden' on SAML IdP authentication. | Known bug in FortiAuthenticator v6.6.1 when the SP SLS (Logout) URL is empty. Fixed in v6.6.2. The article includes a workaround for the affected version. | Troubleshooting Tip: SAML IdP authentication fails with '403 forbidden' error |
7 | FortiClient UID is shown instead of the actual username in IPsec dial-up VPN with SAML. | Mismatch between FortiAuthenticator's SAML attribute mapping and FortiGate IdP/SP configuration. The article documents the correct attribute mapping for both sides. | Troubleshooting Tip: IPsec Dial-up Tunnel with FortiAuthenticator as SAML IDP shows FortiClient UID as username on FortiGate |
8 | SAML login page fails to load (FortiSASE with FAC IdP). | FortiSASE-specific scenario where the upstream FortiGate's firewall policy only allows the FortiSASE public IP, but endpoint public IPs are dynamic. The article documents the firewall policy adjustment needed. | Troubleshooting Tip: Troubleshooting SAML Login Page Redirection Failures in FortiSASE with FortiAuthenticator as IdP |
9 | SAML authentication fails after FortiOS upgrade to v7.2.12, v7.4.9, or v7.6.4. | Starting from these FortiOS versions, both the SAML assertion and the SAML response must be signed by the IdP - the IdP-side configuration may need to be updated to sign both. Affects all FortiOS deployments using FortiAuthenticator as IdP. | Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4 |
10 | SAML session timeout is not enforced for IPsec remote access VPN. | By default, IPsec VPN sessions authenticated via SAML do not enforce a periodic SAML re-authentication. The article describes how to enforce SAML session timeout on FortiOS v7.4.1+ with FortiAuthenticator as IdP. | Technical Tip: Enforcing SAML session timeout on IPsec remote access VPN |
11 | FortiAuthenticator as IdP Proxy - SAML username not forwarded correctly to upstream Entra ID. | When FortiAuthenticator operates as an IdP proxy with Entra ID upstream, the SAML username forwarding behavior must match a specific remote SAML server configuration. The article highlights the common misconfiguration and what to check. | Technical Tip: How FortiAuthenticator Forwards the SAML Username to Azure Entra ID When Acting as an IdP Proxy |
12 | SAML/Portal/API service errors after upgrade to FAC v6.6.7 or v8.0.0. | Web service issue specifically affecting upgrades to v6.6.7 and v8.0.0, where services that worked before the upgrade no longer respond correctly. The article documents the resolution. | Technical Tip: FortiAuthenticator SAML/Portal/API returns error 'Forbidden' and code 403 after upgrade to v6.6.7, and v8.0.0 |
