Troubleshooting Tip: How to Resolve FortiClient Untrusted Certificate Errors With SAML Authentication

When attempting to complete SAML authentication to a VPN on a FortiGate, an error may be displayed indicating the certificate in use is not trusted.

Example error from FortiClient connecting to an SSL VPN with SAML authentication:

The steps to check/select which certificate is in use for the SAML authentication vary on whether an SSL VPN or an IPsec VPN is in use.

SSL VPN.

The certificate used by FortiGate for the SSL VPN will be the same certificate selected as the ‘Server Certificate’ for the SSL VPN. This can be checked on the GUI by going to ‘VPN’ -> ‘SSL-VPN Settings’ and checking the ‘Server Certificate’ field:

This can be checked on the CLI using the command ‘show vpn ssl settings | grep servercert’.

SSL VPN Resolution.

The server certificate can be set on the GUI under ‘VPN’ -> ‘SSL-VPN Settings’ as seen here:

These CLI commands can also be used:

config vpn ssl settings

    set servercert <trusted-certificate>

end

IPsec VPN.

The certificate in use by FortiGate for SAML authentication on an IPsec VPN can be viewed by checking the ‘User & Authentication’ -> ‘Authentication Settings’ on the FortiGate GUI.

FortiGate user certificate visible on the GUI:

Note:
The ‘Authentication Settings’ page under ‘User & Authentication’ may not be visible by default, it can be enabled on the GUI under ‘System’ -> ‘Feature Visibility’. Refer to this document for more information: Feature visibility.

This can also be checked on the FortiGate CLI by using the CLI command ‘show full user setting | grep auth-cert’.

 FortiGate authentication certificate visible on the CLI:

IPsec VPN Resolution.

This can be set on the GUI on the previously shown ‘User & Authentication’ -> ‘Authentication Settings’ page.

Setting the correct certificate on the GUI:

Or with these CLI commands:

config user setting

    set auth-cert <trusted-certificate>

end

Additional Notes:

• The certificate specified under the SAML server configuration under ‘User & Authentication’ -> ‘Single Sign-On’ on the FortiGate GUI does not correspond to the certificate served in the authentication portal. This option specifies the SAML service provider certificate used by the FortiGate when communicating with the SAML identity provider and is not served to the client.
• The certificate set under ‘User & Authentication' -> 'Authentication Settings' applies to all captive portals or other authentication configured on the FortiGate.
• Certificate issues may still be observed during SAML authentication when FortiGate is unable to validate the certificate of the SAML identity provider. Refer to the following document for further information on troubleshooting SAML identity provider certificate issues: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug.
• For additional information on TLS certificates, refer to this article: Troubleshooting Tip: A guide to FortiGate and certificate issues.