When attempting to complete SAML authentication to a VPN on a FortiGate, an error may be displayed indicating the certificate in use is not trusted.

Example error from FortiClient connecting to an SSL VPN with SAML authentication:

The steps to check/select which certificate is in use for the SAML authentication vary depending on whether an SSL VPN or an IPsec VPN is in use.

SSL VPN.

The certificate used by FortiGate for the SSL VPN will be the same certificate selected as the ‘Server Certificate’ for the SSL VPN. This can be checked on the GUI by going to ‘VPN’ -> ‘SSL-VPN Settings’ and checking the ‘Server Certificate’ field:

This can be checked on the CLI using the command ‘show vpn ssl settings | grep servercert’.

SSL VPN Resolution.

The server certificate can be set on the GUI under ‘VPN’ -> ‘SSL-VPN Settings’ as seen here:

These CLI commands can also be used:

config vpn ssl settings

    set servercert <trusted-certificate>

end

Ensure that it is also updated in the SAML SSO configuration, replacing the default 'Fortinet_Factory' with the newly uploaded certificate:

To update certificates from the CLI, use the following commands: 

config user saml

    edit ' name of SSO '
        set cert 'name of new certificate'
    next
end

IPsec VPN.

As an IPSec VPN, there is no option to set a server cert. The certificate in use by FortiGate for SAML authentication on an IPsec VPN can be viewed by checking the ‘User & Authentication’ -> ‘Authentication Settings’ on the FortiGate GUI.

FortiGate user certificate visible on the GUI:

Note:

The ‘Authentication Settings’ page under ‘User & Authentication’ may not be visible by default; it can be enabled on the GUI under ‘System’ -> ‘Feature Visibility’. Refer to this document for more information: Feature visibility.

This can also be checked on the FortiGate CLI by using the CLI command ‘show full user setting | grep auth-cert’.

 FortiGate authentication certificate visible on the CLI:

IPsec VPN Resolution.

This can be set on the GUI on the previously shown ‘User & Authentication’ -> ‘Authentication Settings’ page.

Setting the correct certificate on the GUI:

Or with these CLI commands:

config user setting

    set auth-cert <trusted-certificate>

end

Additional Notes:

• Make sure the Common Name fields of the certificate exactly match the remote gateway IP or FQDN configured on the FortiGate Service Provider entity-id under config user saml.
• When DNS-Proxy is in use in the environment, ensure the Forwarding is created for both the remote gateway IP and the FQDN; otherwise same error can be encountered.
• The certificate specified under the SAML server configuration under ‘User & Authentication’ -> ‘Single Sign-On’ on the FortiGate GUI does not correspond to the certificate served in the authentication portal. This option specifies the SAML service provider certificate used by the FortiGate when communicating with the SAML identity provider and is not served to the client.
• The certificate set under ‘User & Authentication' -> 'Authentication Settings' applies to all captive portals or other authentication configured on the FortiGate.
• On custom certificates, the RSA key must be in use, as the EC key is not yet supported for being applied to the Authentication Settings certificate. EC keys are ideally shorter than RSA keys for security, and when this is use,d FortiGate cannot process and validate the signature. Use the openssl tool to verify the keys used in the field 'Public key Algorithm' in the certificate.

• Certificate issues may still be observed during SAML authentication when FortiGate is unable to validate the certificate of the SAML identity provider. Refer to the following document for further information on troubleshooting SAML identity provider certificate issues: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug.
• For additional information on TLS certificates, refer to Troubleshooting Tip: A guide to FortiGate and certificate issues.
• In dial-up IPsec, the certificate error is still present after the above method has been applied. Delete the current IPsec dial-up connection on the FortiClient setting, and create a new connection.