cchiriches
Staff
Staff
Description This article describes how to fix 'Signature validation failed. SAML Response rejected' error.
Scope FortiAuthenticator 6.X.
Solution

In the events log the error message will look like this:

 

date=2022-05-11 time=10:53:24+0000 oid=2873 logid=50006 cat="Event" subcat="User Portal" level="information" nas="" action="Login" status="Failed" msg="SAML user authentication failed: invalid_response(Signature validation failed. SAML Response rejected)" user="[Unknown]"

 

This is most likely cause by a certificate mismatch.

Let's take as an example the following setup, FortiAuthenticator is IDP proxy, Azure is the IDP.

 

To resolve it, there are 2 options:

 

1) Import to the FortiAuhenticatorthe Azure .xml config file which includes the correct cert.

Go to Azure portal, navigate to the Single Sign-On with SAML app, SAML Signing Certificate, Federation Metadata XML Download.
Upload this to FortiAuhenticator, GUI, Auth, Remote Auth Servers, SAML, the azure server, IdP Metadata, Import Idp metadata

 

2) If an .xml config file is unavailable, then only the cert from Azure/IDP should do.

Go to Azure portal, navigate to the Single Sign-On with SAML app, SAML Signing Certificate, Certificate (Base64) Download.
Upload this to FortiAuthenticator, GUI, Auth, Remote Auth Servers, SAML, the azure server, IdP Metadata, IdP certificate fingerprint, Import certificate.

Contributors