Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎10-30-2023 12:30 AM

Article Id 281682

Technical Tip: SSL VPN and Firewall SAML authentication fails when IdP requires assertions signed with SHA256 algorithm

Description

 

This article describes a SAML authentication issue when IdP is configured to accept only SHA256 Signature Algorithm.

FortiGate leverages the SAML Authentication method for several features, such as SSL VPN, Firewall Policies, Wireless, Web Proxy Policies, and Access Proxy Policies.

 

Service Provider (SP) certificate can be validated by the Identity Provider (IdP), and the Signature Algorithm can be enforced.

A common example is ADFS, which has a Certificate check enabled by default, which also enforces Signature Algorithm SHA256 by default.

 

Starting with FortiOS 7.0, Signature Algorithm can be configured to use SHA1 or SHA256.

However, due to a known issue reported under ID 850473, even though it is configured as SHA256, the assertions are signed with SHA1.

 

From ADFS Event Logs, an Event ID 364 will be recorded with the Exception below:


Exception details:


Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093:
The message is not signed with expected signature algorithm.
Message is signed with signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1.
Expected signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.

 

win-event.png

 

From FortiGate SAML debug log entries, the Signature Algorithm can also be found as the incorrect one being used.

 

SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&

 

sml-debug-1.png

 

Which causes IdP to respond with the error message below.

 

__samld_sp_login_resp [826]: Failed to process response message. ret=-432(Status code is not success)

 

saml-error-2.png

 

Scope

 

FortiGate v7.0.12 or older, and v7.2.5 or lower.

 

Solution

 

FortiOS 7.0.13, 7.2.6, and 7.4.0 include the fix for this issue as per the Release Notes linked below:
FortiOS 7.0.13 - Release Notes
FortiOS 7.2.6 - Release Notes

FortiOS 7.4.0 - Release Notes

 

After the firmware upgrade to one of the versions that contain the fix, FortiGate signs the assertions with the SHA256 Algorithm as expected:


SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&amp

saml-debug-fix.png

 

Workaround:

Configure the IdP Signature algorithm to accept assertions signed with SHA1 as per the ADFS example below.

 

adfs-samlple.png

 

Alternatively, a PowerShell command can be used by replacing '<RelyingParty_Name>' with the Relying Party name configured.

Get-AdfsRelyingPartyTrust <RelyingParty_Name> | set-AdfsRelyingPartyTrust -SignatureAlgorithm "http://www.w3.org/2000/09/xmldsig#rsa-sha1"


Relying on Party names can be retrieved with the command 'Get-AdfsRelyingPartyTrust | select Name'.

1523
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.