VPN SSO not working – signature verification errors

Hi CaryWells,

Could you please provide your FortiOS and FortiClient versions?

Are you facing the issue after the firmware upgrade?

As you mentioned, you got the following error:

"__samld_sp_login_resp [828]: Failed to process response message. ret=101(Signature element not found.)"

Please refer to the document below for more information:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

Happened after a firmware upgrade to firmware 7.2.12(1761)

Happens on both client and the web portal

Did all the things in the article including

• a new certificate from Google with the checkbox checked
• deleting the new one and making a new certificate and uploading again.
• making sure the signed response was on by unchecking, saving then checking it again and saving

Hi CaryWells,

Yes, please review the document below and let us know if it helps.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

Hi CaryWells,

Starting from FortiOS 7.2.12, 7.4.9, and 7.6.4, FortiGate verifies the signature for SAML response messages. Please turn on Sign SAML response and assertion or similar options in corresponding IDP settings. Lack of signature for signing response messages or assertions may cause authentication to fail.

Please refer to the release note of v7.2.12:

https://docs.fortinet.com/document/fortigate/7.2.12/fortios-release-notes/684249/saml-certificate-verification

When using Google as the IdP, ensure that the 'Signed response' option is selected, as shown in the image below. Selecting this option enforces a signature on the entire SAML response. If this option is not selected, Google will sign only the assertion within the response, which is the default behaviour.

You can also try to upgrade to v7.4.8 and check the behaviour.

Regards,
Aman

Unfortunatelly it's broken with google : https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firmware/ta-p/407859

Important info at the end of the document : Note for Google IdP users: The google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed.

hi,

any fixes that can be applied in order to make this work without reverting to a previous version?

Hi, the original recommendation for Google IdP was mistaken.

Neither Signed response enabled nor disabled fulfill the current FortiOS requirements (needing both Reply and Assertion(s) signed), so this is currently unresolvable in 7.4.9. You will need to downgrade to a previous firmware version for the time being. The requirements will be loosened in the next firmware release to ensure compatibility with Google IdP or other potential IdPs that cannot be configured to provide signature in both elements.

FYI there is hope.  The previous document was updated with this info : There is a fix scheduled to be available on the next firmware version (7.2.13, 7.4.10, 7.6.5).