| Description | This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.2.12, v7.4.9 or v7.6.4. |
| Scope | FortiGate v7.2.12, v7.4.9, v7.6.4. |
| Solution |
Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. Note that this also includes the FIPS-CC CVE-Patched builds for FortiOS 7.2, such as FIPS-CC-72-5 and onward.
After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:
diagnose debug console timestamp enable diagnose debug application samld -1 diagnose debug enable
To stop the debugs:
diagnose debug disable diagnose debug reset
The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:
IDP sig verify is required for response and assertions __samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.) samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49 samld_send_common_reply [101]: Attr: 22, 12, e samld_send_common_reply [101]: Attr: 23, 37, Signature element not found. samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.
The user can see the error below ('Firewall Authentication Failed') in the browser:
A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%':
After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing.
If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> Select Edit -> SAML Signing Certificate, as shown in the screenshot below:
This will fix the SAML authentication issue, and users will be able to authenticate successfully.
Note for Google IdP users: The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed. The workaround is to downgrade to the previous firmware version. There is a fix scheduled to be available on the next firmware version (7.2.13, 7.4.10, 7.6.5).
The signatures can be verified in SAML Debug as follows: To ensure that the entire Response is signed, it must include a <Signature> element, which is typically placed near the top of the Response. If the Assertion itself needs to be signed, a separate <Signature> element must be included within the <Assertion> sub-element, usually positioned near the top of the <Assertion>.
When Cisco Duo is used as the Identity Provider (IdP), ensure that both the ‘Sign response’ and ‘Sign assertion’ options are selected as shown in the screenshot below.
To configure this:
One potential mitigation strategy involves reverting to a previous firmware version, which may offer more stable performance under current conditions. While it is not a definitive fix, this approach could serve as a temporary workaround until a more permanent resolution is identified.
For more information, see this document: Set up your own custom SAML app.
Related articles: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel |
