Technical Tip: How to extract the IDP certificate sent in the SAML response from the SAML debug logs

Rajneesh · ‎12-16-2025

Description This article describes on how to extract the IDP certificate sent in the SAML response from the debug logs.

Scope FortiGate.

Solution

The example output below contains the certificate texts from the SAML debug logs:

X509Certificate>MIIGsjCCBJqgAwIBAgIIeaUfRZKee0IwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MRswGQYDVQQLDBJGb3J0aWF1dGhlbnRpY2F0b3IxLDAqBgNVBAMMI0RlZmF1bHQtU2VydmVyLUNlcnRpZmljYXRlLTFCNjhFQkJEMCAXDTI1MDUwNzIxNTkxNVoYDzIwNTUwNDMwMjE1OTE1WjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTERMA8GA1UECgwIRm9ydGluZXQxGzAZBgNVBAsMEkZvcnRpYXV0aGVudGljYXRvcjEsMCoGA1UEAwwjRGVmYXVsdC1TZXJ2ZXItQ2VydGlmaWNhdGUtMUI2OEVCQkQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC78Xwh1ze8/QnQcpFsl5vpYjxM2opIeqfcEmgES4VVkCA9UwYBeiX/YX4Fvo5vjtHGuXsuK2i61cJni142EGlFRYlG7bJFev8gU0hs48gMkFZGueaNzszPm3fNbl3htaYOKSe8DZFg+snFVqKfp1RBVkOcNv6aZHAMOFJgnc5/bmf4eG0sPuON49nn2jWEToOe+LLKLoMR4ecaUTis+pntarHIzERZaCYGLq0O7BHqYk/aNh5RjaDBlaApYjYJk6LIxlaoBnQ0ltJwxhQbwGnXlVBIbHi5LDMJkt+YEelUzkPFZA/6U0t64Bgr+lBFkgIi2CyGzL/bLZ3IljAaZ1F4UeruZilylcbNk3kV7/E42Glz4K7lsRmmOA2KssvtlOJN35Hpb1MEy33I2F9yFDHFLu/97KQDwPNpHZ0edj0/kntayQ1J7qLPWPrc6ZqRdETN+HqPu4QarqntBNlRZ9+XNhf8DznIXO1GmtryEI8J0v5GGyGBBSsRgHOoVM47Bm2/sv/mgSN0D8wdLNmcaoQJTeGWaIfRh4HB8wf+f1cAB7EHlL6MjDHAMN+xUWAwA5ZnegTbZEIJ6dPqJDupH0wHFjaTmCNuUeSv4lNUKu95snP5xlNXioEQV8gTV5pCmGQPElxFYhnnmHjsO7FEHOgak2/qbADOVqv8b01CHE/5RQIDAQABo4IBAjCB/zAdBgNVHQ4EFgQUNVpwJd96ZRuIphMT9fRo4JjHsAkwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgcgGA1UdIwSBwDCBvYAUNVpwJd96ZRuIphMT9fRo4JjHsAmhgZqkgZcwgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxETAPBgNVBAoMCEZvcnRpbmV0MRswGQYDVQQLDBJGb3J0aWF1dGhlbnRpY2F0b3IxLDAqBgNVBAMMI0RlZmF1bHQtU2VydmVyLUNlcnRpZmljYXRlLTFCNjhFQkJEggh5pR9Fkp57QjANBgkqhkiG9w0BAQsFAAOCAgEABIrazX+/LhIkUiCIzNFGrhSHIPbMH6VaSk3JDvjgPzvO8fR8pYPwNuIglDOQik72IikB5znr7LtkvD/krJJgRBL2/M3og8vU1RYku9jlgFcdgwuWy8/y23macYL61skwh6zrffODO5tK3ad87d3FzPMaokZHCqhtuyUwkdE+ZU9S23RXQAEXqRMC/I8MjTbxs0uUld/rQzHia2dwcU7CEETIX4U6MBbc2gYz+Dh0dxkglFLrXiXA73B3eUiA9INLP71qy8/Lu6FndeNO81f7Ubi0frEGxgHnwq8fS3Ti3WHAbyndSURmlQJtvn6k/UdUSaMHyCsRrOXjOTstxAPYM+Hcj4AnoRUCcKuHDwYKr3hp3WsfR+TpQ3Ys=</ds:X509Certificate>

The text can be copied and pasted into any online tools like sslshopper.com and converted into a readable format, as shown in the screenshot below:

This is useful to validate the installed Remote SAML IDP certificate on the FortiGate.

The SAML debug log output can be collected using the following commands:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug enable

To disable and reset the debugs, use the below commands:

diagnose debug enable

diagnose debug reset

The following article can be used for guidance:

Technical Tip: How to extract the IDP certificate sent in the SAML response from the SAML debug logs

You are leaving our website