I’m seeking clarification and a possible solution regarding the recent change in FortiGate’s SAML authentication requirements.
The issue is described in the following Knowledge Base article:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firm...
According to the article, the new specification requires that both the Response and the Assertion within the SAML response be signed.
I understand that some IdPs, such as Microsoft Entra ID or Google IdP, support signing both elements as shown in the examples. However, what is the recommended workaround or solution if we are using an IdP that can sign only one of them?
I also have two questions regarding this policy:
1. Is this requirement a permanent change?
2. Could you share the rationale for requiring both the Response and the Assertion to be signed?
From my understanding, the Assertion is already a component of the Response, and signing the Response should inherently cover the Assertion as well.
Requiring both to be signed seems somewhat redundant — like locking a door twice with the same key — so I would appreciate your perspective on the necessity and reasonableness of this approach.
Thank you very much for your time and assistance.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Thanks a lot for your quick reply and for checking on this. I appreciate your help.
The document you shared contains a piece of the response:
Note for Google IdP users: The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed.
1. Is this requirement a permanent change?
I don't have the exact response for this case but as per my experience with Fortinet, 99% of security enhancement measures are permanent (still 1% possible as per my experience).
2. Why signing both?
I'm not SAML specialist but I think I've found a rational reason here:
In some cases a service provider may be comprised of separate service components, such as one responsible for generating the assertion and another responsible for applying additional metadata or context to the SAML response
Hope it helps
Thank you very much for your detailed explanation! It was extremely helpful and makes a lot of sense.
I’ll also keep an eye out for any additional insights from others.
User | Count |
---|---|
2659 | |
1410 | |
810 | |
699 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.