Our VPN SSO has stopped working. I attempted the following steps without success:
Enabled the signed response option in Google
Disabled and re-enabled it
Downloaded a new certificate from Google and uploaded it to the FortiGate
Despite these changes, SSO is still failing. The FortiGate logs show the following error:
From what I understand, this may be a known issue. Is there a fix or recommended workaround available?
Hi CaryWells,
Could you please provide your FortiOS and FortiClient versions?
Are you facing the issue after the firmware upgrade?
As you mentioned, you got the following error:
"__samld_sp_login_resp [828]: Failed to process response message. ret=101(Signature element not found.)"
Please refer to the document below for more information:
If you have found a solution, please like and accept it to make it easily accessible to others.
Regards,
Aman
Happened after a firmware upgrade to firmware 7.2.12(1761)
Happens on both client and the web portal
Did all the things in the article including
Hi CaryWells,
Yes, please review the document below and let us know if it helps.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-Authentication-fails-after-firm...
If you have found a solution, please like and accept it to make it easily accessible to others.
Regards,
Aman
Created on 10-02-2025 06:53 AM Edited on 10-02-2025 06:56 AM
This did not help.
If you look at this reddit tghread you will see I am not the only one this is happening to with Google as the IDP
https://www.reddit.com/r/fortinet/comments/1noj7xu/update_to_7212_kills_saml_at_several_clients/
Hi CaryWells,
Starting from FortiOS 7.2.12, 7.4.9, and 7.6.4, FortiGate verifies the signature for SAML response messages. Please turn on Sign SAML response and assertion or similar options in corresponding IDP settings. Lack of signature for signing response messages or assertions may cause authentication to fail.
Please refer to the release note of v7.2.12:
When using Google as the IdP, ensure that the 'Signed response' option is selected, as shown in the image below. Selecting this option enforces a signature on the entire SAML response. If this option is not selected, Google will sign only the assertion within the response, which is the default behaviour.
You can also try to upgrade to v7.4.8 and check the behaviour.
Regards,
Aman
This has been done as I stated in my first response. We cannot upgrade at this time. This is still not working.
User | Count |
---|---|
2624 | |
1393 | |
804 | |
670 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.