| Description | This article describes how to troubleshoot when we notice 'Failed to verify signature' message in the SAML Debug. |
| Scope | When Azure AD used as a SAML IdP for Authentication via FortiGate |
| Solution |
In the SAML Debugs (di de app saml -1) the error message will look like this:
954f-8326f1b10e00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
This is mostly due to a Certificate mismatch or a Corrupted Certificate that is imported from Azure AD.
To fix this, download the relevant SAML Signing Certificate from Azure Portal Single sign-on page, import it to the FortiGate under Remote Certificate, and use that in the SAML Configuration.
Find the screenshot below for reference on downloading the certificate:
To import the Certificate to FortiGate:
In GUI: Go to System -> Certificates -> Import -> Remote Certificate
From CLI:
The default name for an imported remote certificate is 'REMOTE_Cert_<number>'. To make it easier to distinguish from other certificates, it can be renamed in CLI:
Example: rename REMOTE_Cert_1 to Azure_SAML:
|
