FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ap
Staff
Staff
Article Id 407859
Description This article describes how to fix the SAML authentication issue that fails after FortiOS firmware upgrade to v7.6.4.
Scope FortiGate v7.6.4.
Solution

Remote access IPsec VPN user or admin user login authentication to FortiGate using SAML Single Sign-on (SSO) fails after firmware upgrade on FortiGate to v7.6.4. The below debugs can be run while reproducing the issue from the test user's PC:

 

  • For Remote Access IPsec VPN using SAML SSO:

 

diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is the client public IP.

diagnose debug console timestamp enable

diagnose debug application authd 60

diagnose debug application fnbamd -1
diagnose debug application saml -1
diagnose debug application ike -1

diagnose debug application eap_proxy -1

diagnose debug enable

 

  • For Admin user login authentication using SAML SSO:

 

   diagnose debug console timestamp enable

   diagnose debug application saml -1

   diagnose debug enable

 

To stop the debugs:

 

   diagnose debug disable

   diagnose debug reset

 

The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:

   

   IDP sig verify is required for response and assertions

__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)

samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49

samld_send_common_reply [101]:     Attr: 22, 12, e

samld_send_common_reply [101]:     Attr: 23, 37, Signature element not found.

samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.

 

The user can see the error below ('Firewall Authentication Failed') in the browser:

 

saml1.png

 

SAML assertion and response are both required with signature validation. The lack of a signature of response in this case results in the error. Change the setting in IDP to enable 'SAML response and Assertion' signing.

 

If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> SAML Signing Certificate, as shown in the screenshot below:

 

saml3.png

 

This will fix the SAML authentication issue, and users will be able to authenticate successfully.

 

Related articles: