SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4
Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4
Description This article describes how to resolve the SAML authentication issue that occurs after upgrading to v7.2.12, v7.4.9 or v7.6.4.
Scope FortiGate v7.2.12, v7.4.9, v7.6.4.
Solution
Beginning from v7.2.12, v7.4.9 and v7.6.4, FortiGate verifies the signature of SAML Response messages. See SAML certificate verification in Release Notes. Note that this also includes the FIPS-CC CVE-Patched builds for FortiOS 7.2, such as FIPS-CC-72-5 and onward.
After the upgrade, SAML authentication when using FortiGate as the Service Provider (e.g., for IPsec/SSL VPN, FortiGate administrator logins, SAML captive portal) may fail. The below debugs can be run on the FortiGate while reproducing the issue from the test user's PC:
diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug enable
To stop the debugs:
diagnose debug disable
diagnose debug reset
The following error, 'Signature element not found', will be seen in the debugs on the FortiGate:
IDP sig verify is required for response and assertions
__samld_sp_login_resp [833]: Failed to process response message. ret=101(Signature element not found.)
samld_send_common_reply [92]: Code: 1, id: 563501, pid: 2470, len: 65, data_len 49
samld_send_common_reply [101]: Attr: 22, 12, e
samld_send_common_reply [101]: Attr: 23, 37, Signature element not found.
samld_send_common_reply [120]: Sent resp: 65, pid=2470, job_id=563501.
The user can see the error below ('Firewall Authentication Failed') in the browser:
saml1.png
f6bbd0f9-f125-481b-96d8-b706fcfcf9c6.png
Picture1.png
A behavior at SSL VPN, over the FortiClient, after connecting, the percentage of the process will get stuck on 'Status: 40%':
Captura de pantalla 2025-09-24 175608.png
After the upgrade, both the SAML assertion and the response must be signed, not just the SAML assertion. 'Signature element not found' indicates no signature was provided. To resolve the authentication issue, change the setting in IDP to enable 'SAML response and Assertion' signing.
If Microsoft Entra ID is used as IdP, select 'Sign SAML response and Assertion' for the signing option under Single sign-on -> SAML Certificates -> Select Edit -> SAML Signing Certificate, as shown in the screenshot below:
saml3.png
This will fix the SAML authentication issue, and users will be able to authenticate successfully.
Note for Google IdP users: The Google implementation only signs either the assertion or reply based on the 'Signed reply' checkbox, but cannot sign both. If 'Signed reply' is unchecked, only the SAML Assertions are signed. If 'Signed reply' is checked, only the SAML Reply is signed. Both will fail since the FortiGate expects both Assertion AND Reply to be signed.
When Cisco Duo is used as the Identity Provider (IdP), ensure that both the ‘Sign response’ and ‘Sign assertion’ options are selected as shown in the screenshot below.
To configure this:
Under Signing options, select both:
Sign response.
Sign assertion.
image - 2025-10-07T115553.003.png
One potential mitigation strategy involves reverting to a previous firmware version, which may offer more stable performance under current conditions. While it is not a definitive fix, this approach could serve as a temporary workaround until a more permanent resolution is identified.
For more information, see this document: Set up your own custom SAML app.
Technical Tip: Login issues with SAML IdP. 'Failed to verify signature' error in SAML Debug
Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel
Admin FortiGate FortiGate v7.2 FortiGate v7.6 IPsec SAML SSL-VPN SSO
45314
Contributors