Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LibiaoRobot
New Contributor

Created on ‎09-29-2025 12:43 AM

SSL VPN SAML Authentication Fails with Error 'Failed to verify signature' Using Casdoor as SAML IDP

Error message:
/saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
__samld_sp_login_resp [826]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [91]: Code: 1, id: 539, pid: 5739, len: 64, data_len 48
samld_send_common_reply [99]: Attr: 22, 12,
samld_send_common_reply [99]: Attr: 23, 36, Failed to verify signature.
samld_send_common_reply [119]: Sent resp: 64, pid=5739, job_id=539.
[5739:root:0]epoll saml recv resp error.
[5740:root:216]Timeout for connection 0x7f7ebad000.

 

My SAML IDP uses Casdoor, which is an open source identity authentication system. I made sure my certificate is the public key certificate imported from the Casdoor system.

Labels:
671
0 Kudos
10 REPLIES 10
Markus_M
Staff & Editor
Staff & Editor

Created on ‎09-29-2025 01:41 AM

The node that receives this signature, that is FortiGate, needs to have the root CA certificate installed which is at the end of the certificate chain that signed the certificate that the IdP has used to create the signature. If there is an intermediate that create that certificate, that may also have to be imported.

- Markus
595
LibiaoRobot
New Contributor

Created on ‎09-29-2025 02:24 AM

I can answer with certainty that my casdoor currently has only one certificate, and this certificate is self-signed by casdoor. I downloaded the certificate and imported it into the Fortinet firewall remote certificate, and also called the certificate in single sign-on.

 

1.png

 

 

image.png

 

I also saw the public key certificate sent by Casdoor (SAML IdP) in the firewall debug, but it still prompted Failed to verify signature.

image.png

585
0 Kudos
LibiaoRobot
New Contributor

Created on ‎09-29-2025 02:28 AM

I send the firewall version v7.2.11 build1740 (Mature)

581
0 Kudos
tbarua
Staff
Staff

Created on ‎09-29-2025 03:11 AM

Hi LibiaoRobot, 

 Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. 

You can test this by changing the following settings in the Azure certificate configuration, as described in the following KB article:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firm...

 

Regards,

Tuli
571
LibiaoRobot
New Contributor
In response to tbarua

Created on ‎09-29-2025 03:42 AM

I send the firewall version v7.2.11 build1740 (Mature)

 

It still only signs the Assertion consumer service URL

565
0 Kudos
LibiaoRobot
New Contributor

Created on ‎09-29-2025 04:35 AM

I have upgraded to version 7.2.12, and my casdoor has also been upgraded to the latest version 2.71.0. casdoor SAMLResponse does sign the response, which is in line with the SAML of Fortinet Firewall 7.2.12 version, but it still reports an error.

 

image.png

tring">pve-role</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>
__samld_sp_login_resp [828]: Failed to process response message. ret=-111(Failed to verify signature.)
samld_send_common_reply [91]: Code: 1, id: 3, pid: 299, len: 64, data_len 48
samld_send_common_reply [99]: Attr: 22, 12,
samld_send_common_reply [99]: Attr: 23, 36, Failed to verify signature.
samld_send_common_reply [119]: Sent resp: 64, pid=299, job_id=3.
[299:root:0]epoll saml recv resp error.

544
0 Kudos
Markus_M
Staff & Editor
Staff & Editor

Created on ‎09-29-2025 07:17 AM

Keep in mind that the special case of self-signed certificates and their signatures in general are considered invalid. You will need a CA certificate that creates a server certificate for the IdP. The CA certificates public key must then be imported on the SP, the server certificate with public and private key on the IdP.

Self-signed certificates are a special case for certificates for the chain of certificates is basically one, there is no valid CA certificate, there is no regular server certificate either, despite everything works as the certificate has the correct extensions (sometimes not even that).

- Markus
522
0 Kudos
LibiaoRobot
New Contributor
In response to Markus_M

Created on ‎09-29-2025 07:08 PM

I don't know why I can't upload screenshots anymore

 

However, the SSO certificate issued by Microsoft Azure ID is also a self-signed certificate. Why can the Microsoft certificate be used normally?

 

 

481
0 Kudos
LibiaoRobot
New Contributor

Created on ‎09-29-2025 07:16 PM

I applied for a new domain name certificate from Alibaba Cloud, a domain name registration authority, and imported the public and private keys into the Casdoor SAML IDP. The public key consists of two parts: the Leaf Certificate and the Intermediate CA Certificate. I also imported the same public key certificate into the Fortinet firewall and used it in single sign-on, but the result was the same: "Failed to verify signature."

476
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.