| Description | This article describes how to fix the SAML authentication issue that fails after FortiOS firmware upgrade to v7.6.4. |
| Scope | FortiGate v7.6.4. |
| Solution |
Remote access IPsec VPN user or admin user login authentication to FortiGate using SAML Single Sign-on (SSO) fails after firmware upgrade on FortiGate to v7.6.4. The below debugs can be run while reproducing the issue from the test user's PC:
diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is the client public IP. diagnose debug console timestamp enable diagnose debug application authd 60 diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug enable
diagnose debug console timestamp enable diagnose debug application saml -1 diagnose debug enable
To stop the debugs:
diagnose debug disable diagnose debug reset
The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:
IDP sig verify is required for response and assertions __samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.) samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49 samld_send_common_reply [101]: Attr: 22, 12, e samld_send_common_reply [101]: Attr: 23, 37, Signature element not found. samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.
The user can see the error below ('Firewall Authentication Failed') in the browser:
SAML assertion and response are both required with signature validation. The lack of a signature of response in this case results in the error. Change the setting in IDP to enable 'SAML response and Assertion' signing.
If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> SAML Signing Certificate, as shown in the screenshot below:
This will fix the SAML authentication issue, and users will be able to authenticate successfully.
Related articles: |
