The following errors are seen in the SAML debugs when the user attempts to connect to the VPN.

   diagnose debug application saml -1
   diagnose debug enable

954f-8326f1b10e00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:

SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
__samld_sp_login_resp [842]: Failed to process response message. ret=-111(Failed to verify signature.)

This is mostly due to a Certificate mismatch or a Corrupted Certificate that is imported from Azure AD.

When the Basic SAML Configuration, such as Entity ID, Reply URL, Sign-on URL, or Logout URL, is modified, the SAML Certificate needs to be downloaded and reinstalled in the Remote Certificate section of FortiGate, and then used in the SAML Configuration.

Find the screenshot below for reference on downloading the certificate:

To import the Certificate to FortiGate:

In GUI:

Go to System -> Certificates -> Import -> Remote Certificate.

From CLI:

config vpn certificate remote

In the GUI, the certificate will be located under the 'Remote Certificate' section.


Optional:

The default name for an imported remote certificate is 'REMOTE_Cert_<number>'. To make it easier to distinguish from other certificates, it can be renamed in the CLI:

Example: rename REMOTE_Cert_1 to Azure_SAML:

   config vpn certificate remote
       rename REMOTE_Cert_1 to Azure_SAML
   end

In the GUI, the renamed certificate will be located under the 'Remote Certificate' section.

Once the remote certificate is imported on the FortiGate, modify the idp-certificate under SAML configuration.

In CLI:

config user saml
    edit <name>
        set idp-cert "Azure_SAML"
    next
end

In GUI: