Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
systemgeek
Contributor

Created on ‎03-27-2025 05:57 AM

Dialup IPsec VPN with SAML ADFS configured the same way as a working SSLVPN with SAML ADFS.

I do have a ticket open on this but getting little traction.  Hoping I might get better traction here.

 

My users currently use SSLVPN with SAML to our ADFS server perfectly.  I read the docs and created a IPsec config for the users using a new IKE port.  I created a new FSSO that only differs from the one used by SSLVPN in the port number.  Created a new Relaying Party Trust which is a mirror image for the SSLVPN one (just changed the port number).  All of the certs are exactly the same.

 

When I test and debug I see the username and group coming back to the Fortigate in the debug.  Right after that I see:

__samld_sp_login_resp [830]: Failed to process response message. ret=-111(Failed to verify signature.)

 

Which means its having Cert issues.  Not sure I understand how this can be.  The certs used on the fortigate are the same for IPsec and SSLVPN.  The cert in the Relaying Party Trust is the same between the 2 config.  I have verified the signatures of them and the issuer.  I have dumped out the ADFS config and verified they are exactly the same except for the Identifier and the port number.

 

How is it possible that the set of certs work for SSLVPN but fail to verify with IPsec???

Labels:
56
0 Kudos
1 REPLY 1
Dhruvin_patel
Staff
Staff

Created on ‎03-27-2025 11:01 AM

Greetings!

 

The error message "Failed to verify signature" typically indicates a certificate mismatch or misconfiguration in the SAML setup. Here are steps to troubleshoot and resolve the issue:

 

1. Verify Certificate Configuration:
- Double-check that the correct Identity Provider (IdP) certificate is specified in the FortiGate SAML configuration for the IPsec VPN. Ensure it matches the certificate used for SSL VPN.

 

2. Check Certificate Trust:
- Ensure that the FortiGate trusts the IdP certificate. Import the IdP's root and intermediate certificates into the FortiGate if necessary.

 

3. Review SAML Configuration:
- Confirm that the SAML configuration on the FortiGate for IPsec VPN is identical to the SSL VPN configuration, except for the necessary differences (e.g., port number).

 

4. Inspect ADFS Configuration:
- Verify that the relying party trust in ADFS is correctly configured for the IPsec VPN, including the correct certificate and endpoint settings.

 

5. Debugging and Logs:
- Use `diag debug application samld -1` on the FortiGate to gather detailed logs and identify any discrepancies in the SAML response.

 

6. Time Synchronization:- Ensure that the system time on both the FortiGate and the ADFS server is synchronized to avoid clock skew issues.

 

7. Re-import Certificates:- As a last resort, try re-importing the certificates on both the FortiGate and ADFS to ensure there are no corruption issues.

 

Regards!

Dhruvin Patel
31
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.