Help
FortiPortal
FortiPortal provides a comprehensive set of security management and analytics within a multi-tenant, multi-tier management framework.
ojacinto
Staff
Staff

Created on ‎05-23-2023 09:37 PM

Article Id 257654

Technical Tip: How to validate that Remote authentication 'SSO' SAML responses and assertions are signed

Description This article describes how to identify if 'SSO' SAML responses and assertions are signed on IdP using FortiPortal debug logs.
Scope FortiPortal version 7.0.0 and later.
Solution

After Remote authentication 'SSO' settings are configured on IdP and FortiPortal side according to the following link:

https://docs.fortinet.com/document/fortiportal/7.0.2/administration-guide/547386/remote-authenticati... 

 

And then, the user tries to log in on FortiPortal using the remote authentication, and could receive the following error:

 

Authentication Error
Access Denied
Signature missing for response

SAML.png

 

On FortiPortal debug logs the following messages are shown:

2023-01-31 15:05:41,717 [saml2.entity:entity.py:288 apply_binding()] - INFO - HTTP POST
2023-01-31 15:06:18,566 [saml2.entity:entity.py:1498 _parse_response()] - ERROR - Signature Error: Signature missing for response
2023-01-31 15:06:18,567 [saml2.client_base:client_base.py:850 parse_authn_request_response()] - ERROR - XML parse error: Signature missing for response
2023-01-31 15:06:18,567 [fortiportal.systems.authentication.saml.views:views.py:151 _post()] - INFO - Invalid or malformed SAML Assertion.
Traceback (most recent call last):
File "/src/apps/fortiportal/systems/authentication/saml/views.py", line 132, in _post
response = client.parse_authn_request_response(
File "/usr/local/lib/python3.9/site-packages/saml2/client_base.py", line 841, in parse_authn_request_response
resp = self._parse_response(
File "/usr/local/lib/python3.9/site-packages/saml2/entity.py", line 1495, in _parse_response
response = response.loads(xmlstr, False, origxml=xmlstr)
File "/usr/local/lib/python3.9/site-packages/saml2/response.py", line 528, in loads
self._loads(xmldata, decode, origxml)
File "/usr/local/lib/python3.9/site-packages/saml2/response.py", line 344, in _loads
self.response = self.signature_check(
File "/usr/local/lib/python3.9/site-packages/saml2/sigver.py", line 1694, in correctly_signed_response
raise SignatureError('Signature missing for response')
saml2.sigver.SignatureError: Signature missing for response
2023-01-31 15:06:18,573 [django.request:log.py:224 log_response()] - WARNING - Forbidden: /fpc/saml/SSO

 

The above messages mean that the 'Sign SAML response and assertion' option is not enabled on the IdP side.

FortiPortal will only accept signed IdP responses and assertions.

 

SAML1.jpg

 

The next step is to enable the option 'Sign SAML response and assertion' on IdP and validate again that remote authentication on FortiPortal works as expected.

For example, for Azure AD IdP, it is possible to review the following link:

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options 


On the above link, it is possible to see that Azure IdP has the options:

- Sign SAML assertion.

- Sign SAML response.

- Sign SAML response and assertion <----- This is the necessary option to use on IdP side.
424
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.