FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ap
Staff
Staff
Article Id 407859
Description This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.6.4 and v7.2.12.
Scope FortiGate v7.6.4, v7.2.12.
Solution

Beginning from v7.2.12 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. 

 

After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:

 

   diagnose debug console timestamp enable

   diagnose debug application samld -1

   diagnose debug enable

 

To stop the debugs:

 

   diagnose debug disable

   diagnose debug reset

 

The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:

   

   IDP sig verify is required for response and assertions

__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)

samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49

samld_send_common_reply [101]:     Attr: 22, 12, e

samld_send_common_reply [101]:     Attr: 23, 37, Signature element not found.

samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.

 

The user can see the error below ('Firewall Authentication Failed') in the browser:

 

saml1.png

 

f6bbd0f9-f125-481b-96d8-b706fcfcf9c6.png

A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%':

 

Captura de pantalla 2025-09-24 175608.png

 

After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing.

 

If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> SAML Signing Certificate, as shown in the screenshot below:

 

saml3.png

 

When using Google as the IdP, ensure that the 'Signed response' option is selected, as shown in the image below. Selecting this option enforces a signature on the entire SAML response. If this option is not selected, Google will sign only the assertion within the response, which is the default behavior.

 

edit1.png

 

This will fix the SAML authentication issue, and users will be able to authenticate successfully.

 

Related articles:

Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug

Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel