Dialup IPsec VPN with SAML ADFS configured the same way as a working SSLVPN with SAML ADFS.

Question

I do have a ticket open on this but getting little traction. Hoping I might get better traction here.

My users currently use SSLVPN with SAML to our ADFS server perfectly. I read the docs and created a IPsec config for the users using a new IKE port. I created a new FSSO that only differs from the one used by SSLVPN in the port number. Created a new Relaying Party Trust which is a mirror image for the SSLVPN one (just changed the port number). All of the certs are exactly the same.

When I test and debug I see the username and group coming back to the Fortigate in the debug. Right after that I see:

__samld_sp_login_resp [830]: Failed to process response message. ret=-111(Failed to verify signature.)

Which means its having Cert issues. Not sure I understand how this can be. The certs used on the fortigate are the same for IPsec and SSLVPN. The cert in the Relaying Party Trust is the same between the 2 config. I have verified the signatures of them and the issuer. I have dumped out the ADFS config and verified they are exactly the same except for the Identifier and the port number.

How is it possible that the set of certs work for SSLVPN but fail to verify with IPsec???

Dhruvin_patel · Accepted Answer

Greetings!

The error message "Failed to verify signature" typically indicates a certificate mismatch or misconfiguration in the SAML setup. Here are steps to troubleshoot and resolve the issue:

1. Verify Certificate Configuration:
- Double-check that the correct Identity Provider (IdP) certificate is specified in the FortiGate SAML configuration for the IPsec VPN. Ensure it matches the certificate used for SSL VPN.

2. Check Certificate Trust:
- Ensure that the FortiGate trusts the IdP certificate. Import the IdP's root and intermediate certificates into the FortiGate if necessary.

3. Review SAML Configuration:
- Confirm that the SAML configuration on the FortiGate for IPsec VPN is identical to the SSL VPN configuration, except for the necessary differences (e.g., port number).

4. Inspect ADFS Configuration:
- Verify that the relying party trust in ADFS is correctly configured for the IPsec VPN, including the correct certificate and endpoint settings.

5. Debugging and Logs:
- Use `diag debug application samld -1` on the FortiGate to gather detailed logs and identify any discrepancies in the SAML response.

6. Time Synchronization:- Ensure that the system time on both the FortiGate and the ADFS server is synchronized to avoid clock skew issues.

7. Re-import Certificates:- As a last resort, try re-importing the certificates on both the FortiGate and ADFS to ensure there are no corruption issues.

Regards!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded