Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. 

After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:

   diagnose debug console timestamp enable

   diagnose debug application samld -1

   diagnose debug enable

To stop the debugs:

   diagnose debug disable

   diagnose debug reset

The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:

   IDP sig verify is required for response and assertions

__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)

samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49

samld_send_common_reply [101]:     Attr: 22, 12, e

samld_send_common_reply [101]:     Attr: 23, 37, Signature element not found.

samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.

The user can see the error below ('Firewall Authentication Failed') in the browser:

A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%':

After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing.

If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> Select Edit -> SAML Signing Certificate, as shown in the screenshot below:

Note for Google IdP users: The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed.

When Cisco Duo is used as the Identity Provider (IdP), ensure that both the ‘Sign response’ and ‘Sign assertion’ options are selected as shown in the screenshot below.

To configure this:

1. Navigate to: Applications -> Select the SSO Application -> Scroll down to SAML Response settings.

2. Under Signing options, select both:

   • Sign response.

   • Sign assertion.
                                                                   

One potential mitigation strategy involves reverting to a previous firmware version, which may offer more stable performance under current conditions. While it is not a definitive fix, this approach could serve as a temporary workaround until a more permanent resolution is identified.

For more information, see this document: Set up your own custom SAML app.

Related articles:

• Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug
• Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel