SSL VPN SAML Authentication Fails with Error 'Failed to verify signature' Using Casdoor as SAML IDP

The node that receives this signature, that is FortiGate, needs to have the root CA certificate installed which is at the end of the certificate chain that signed the certificate that the IdP has used to create the signature. If there is an intermediate that create that certificate, that may also have to be imported.

I can answer with certainty that my casdoor currently has only one certificate, and this certificate is self-signed by casdoor. I downloaded the certificate and imported it into the Fortinet firewall remote certificate, and also called the certificate in single sign-on.

I also saw the public key certificate sent by Casdoor (SAML IdP) in the firewall debug, but it still prompted Failed to verify signature.

I send the firewall version v7.2.11 build1740 (Mature)

Hi LibiaoRobot, 

 Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. 

You can test this by changing the following settings in the Azure certificate configuration, as described in the following KB article:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

Regards,

I have upgraded to version 7.2.12, and my casdoor has also been upgraded to the latest version 2.71.0. casdoor SAMLResponse does sign the response, which is in line with the SAML of Fortinet Firewall 7.2.12 version, but it still reports an error.

tring">pve-role</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
__samld_sp_login_resp [828]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [91]: Code: 1, id: 3, pid: 299, len: 64, data_len 48
samld_send_common_reply [99]: Attr: 22, 12,
samld_send_common_reply [99]: Attr: 23, 36, Failed to verify signature.
samld_send_common_reply [119]: Sent resp: 64, pid=299, job_id=3.
[299:root:0]epoll saml recv resp error.

Keep in mind that the special case of self-signed certificates and their signatures in general are considered invalid. You will need a CA certificate that creates a server certificate for the IdP. The CA certificates public key must then be imported on the SP, the server certificate with public and private key on the IdP.

Self-signed certificates are a special case for certificates for the chain of certificates is basically one, there is no valid CA certificate, there is no regular server certificate either, despite everything works as the certificate has the correct extensions (sometimes not even that).

I applied for a new domain name certificate from Alibaba Cloud, a domain name registration authority, and imported the public and private keys into the Casdoor SAML IDP. The public key consists of two parts: the Leaf Certificate and the Intermediate CA Certificate. I also imported the same public key certificate into the Fortinet firewall and used it in single sign-on, but the result was the same: "Failed to verify signature."