| Description | This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.2.12, v7.4.9, or v7.6.4. |
| Scope | FortiGate v7.2.12, v7.4.9, v7.6.4. |
| Solution |
Beginning from v7.2.12, v7.4.9, and v7.6.4, FortiGate verifies the signature of SAML Response messages, in addition to SAML assertions. See SAML certificate verification in Release Notes. This also includes the FIPS-CC CVE-Patched builds for FortiOS v7.2, such as FIPS-CC-72-5 and onward.
Update: As per Change #1196434, the following FortiOS versions add a CLI option that allows administrators to control signature verification for SAML responses and assertions: v7.6.5, v7.4.10, v7.2.13, v7.0.18, and all later versions. The new CLI option is displayed below and allows administrators to select between requiring both the response and the assertion to be signed (enable, set by default) OR requiring that at least one of the two is signed (disable). More information can be found in the FortiOS Release Notes, and the original article continues below:
config user saml edit <name> set require-signed-resp-and-asrt <enable | disable> next end
After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:
diagnose debug console timestamp enable diagnose debug application samld -1 diagnose debug enable
To stop the debugs:
diagnose debug disable diagnose debug reset
The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:
IDP sig verify is required for response and assertions __samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.) samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49 samld_send_common_reply [101]: Attr: 22, 12, e samld_send_common_reply [101]: Attr: 23, 37, Signature element not found. samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.
The user can see one of the errors below in the browser:
In certain scenarios, the SAML authentication process redirects users back to the SAML login page immediately after they complete the Multi-Factor Authentication step. When trying to sign in with Security Fabric on the FortiGate as an administrator, the following error appears on the GUI. The SAML debug logs show the same error previously mentioned:
When connecting via FortiClient SSL VPN, the connection will reach 'Status: 40%' and then fail with an error message stating 'Credential or SSLVPN configuration is wrong. (-7200)':
After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates that the signature was not provided. To resolve this issue, the SAML IdP must be configured to enable signing of both SAML responses and assertions. Note that it is safe to enable this on the IdP both before and after upgrading firmware on the FortiGate, as earlier FortiOS versions (such as FortiOS v7.2.10, v7.4.8, and v7.6.3) already supported signed responses and assertions.
The signatures can be verified in SAML Debug as follows: To ensure that the entire Response is signed, it must include a <Signature> element, which is typically placed near the top of the Response. If the Assertion itself needs to be signed, a separate <Signature> element must be included within the <Assertion> sub-element, usually positioned near the top of the <Assertion>.
This will fix the SAML authentication issue, and users will be able to authenticate successfully.
Google IdP users. The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed. The workaround is to downgrade to v7.2.11, v7.4.8, or v7.6.3. There is a fix scheduled to be available on the next firmware version (v7.2.13, v7.4.10, v7.6.5; see 'Update' note at the top of the article).
Cisco DUO. When Cisco Duo is used as the Identity Provider (IdP), ensure that both the ‘Sign response’ and ‘Sign assertion’ options are selected as shown in the screenshot below.
To configure this:
One potential mitigation strategy involves reverting to a previous firmware version, which may offer more stable performance under current conditions. While it is not a definitive fix, this approach could serve as a temporary workaround until a more permanent resolution is identified.
For more information, see this document: Set up your own custom SAML app.
For JumpCloud SAML, ensure 'Assertion and Response' is selected.
Active Directory Federation Services (AD FS). AD FS uses Relying Party Trust for SAML. To check the signing option of the Relying Party Trust, use the command below and look for 'SamlResponseSignature'.
Get-AdfsRelyingPartyTrust -name <Relying Party Trust Name> Execute the following command on AD FS PowerShell to ensure that the message and assertion are signed.
Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Name> -SamlResponseSignature "MessageAndAssertion"
FortiIdentity Cloud: If FortiIdentity Cloud is used as an IDP, log in to FortiIdentity Cloud -> Applications -> SSO -> Select Triple dots icon -> Select Edit -> Select Interface Detail -> Toggle 'Sign SAML response' to enable it.
  Note: If the issue remains the same after changing the response and assertion, ensure that the certificate has been updated correctly according to this KB article: Technical Tip: SSL VPN SAML Authentication Fails with Error 'Failed to verify signature'.
Note: If the IDP used is Identity360, there is a chance to fail the SAML authentication with the same error 'Failed to verify signature' even though both Response and Assertions are set to sign at the IDP. In that case, verify if the 'Canonicalization Method' is set to 'Exclusive Canonicalization' instead of 'Exclusive Canonicalization With Comments'.
See below:
Related articles: Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel |
