Description | This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.6.4 and v7.2.12. |
Scope | FortiGate v7.6.4, v7.2.12. |
Solution |
Beginning from v7.2.12 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes.
After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:
diagnose debug console timestamp enable diagnose debug application samld -1 diagnose debug enable
To stop the debugs:
diagnose debug disable diagnose debug reset
The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:
IDP sig verify is required for response and assertions __samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.) samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49 samld_send_common_reply [101]: Attr: 22, 12, e samld_send_common_reply [101]: Attr: 23, 37, Signature element not found. samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.
The user can see the error below ('Firewall Authentication Failed') in the browser:
A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%':
After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing.
If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> SAML Signing Certificate, as shown in the screenshot below:
When using Google as the IdP, ensure that the 'Signed response' option is selected, as shown in the image below. Selecting this option enforces a signature on the entire SAML response. If this option is not selected, Google will sign only the assertion within the response, which is the default behavior.
This will fix the SAML authentication issue, and users will be able to authenticate successfully.
Related articles: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.