Skip to main content
nevan
Staff
nevan
Staff
December 19, 2025

Troubleshooting Tip : FortiGate IKEv2 VPN displays Fortinet default certificate instead of configured SAML certificate

  • December 19, 2025
  • 0 replies
  • 625 views
Description

This article describes when using IPsec IKEv2 with SAML authentication (for example, Azure AD as the IdP), administrators may notice that VPN endpoints display the Fortinet default factory certificate instead of the certificate configured in the SAML settings.


config user saml
    edit "saml_profile"
        set cert "wildcard_cert"
        set entity-id ".../remote/saml/metadata"
        set single-sign-on-url ".../remote/saml/login"
        set idp-cert "REMOTE_Cert"
    next
end


This behavior is expected and occurs due to the separation between SAML authentication and IKEv2 tunnel authentication on FortiGate.
Scope FortiGate IPSec IKEv2 with SAML authentication.
Solution

The reason behind the behavior is that FortiGate uses two independent certificates in an IKEv2 SAML deployment. 

 

SAML Service Provider certificate or the certificate that is being used for the handshake and authentication process between IdP and SP. This one is located under the SAML config.

CLI:


config user saml
    edit ""   
        set cert wildcard_cert
 end

 

This certificate is used only for:

  • Signing SAML authentication requests.

  • Encrypting/decrypting SAML assertions.

  • Trust establishment between FortiGate and the IdP.


For the endpoint, it also uses the IKEv2 VPN tunnel server certificate located under the phase-interface configuration.

 

CLI:


config vpn ipsec phase1-interface
    edit "ikev2-saml-vpn"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set certificate "Fortinet_CA"
    next
end

 

This certificate is used for:

  • IKEv2 server authentication.

  • TLS certificate presented to VPN clients.

  • What endpoints display in logs and connection details.

 

However, the command 'set certificate <cert_name>' will never appear when the authentication mode is Pre-Shared-Key. This feature will only appear when certificate-based authentication mode is used. In SAML, the user is required to use the Pre-Shared-Key, which means the administrator cannot use a customized certificate for VPN clients. That concludes that FortiGate will send the default certificate to the user. 

Note:
The following commands can be used to troubleshoot while trying to establish a connection:

diagnose vpn ike log filter rem-addr4 <client_publicIP>
diagnose debug application ike -1
diagnose debug application samld -1

diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable

To disable the debugs after testing:

 

diagnose debug disable

diagnose debug reset

 

Related articles:
Technical Tip: FortiGate IPSec Dial-up IKEv2 SAML-based authentication with FortiAuthenticator as IdP

Technical Tip: Configuring a dial-up IPsec VPN with Azure SAML authentication
      Terms & ConditionsAccessibility statement