Description | This article describes how to troubleshoot when we notice 'Failed to verify signature' message in the SAML Debug. |
Scope | When Azure AD used as a SAML IdP for Authentication via FortiGate |
Solution |
In the SAML Debugs (di de app saml -1) the error message will look like this:
954f-8326f1b10e00"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
This is mostly due to a Certificate mismatch or a Corrupted Certificate that is imported from Azure AD.
To fix this, download the relevant SAML Signing Certificate from Azure Portal Single sign-on page, import it to the FortiGate under Remote Certificate, and use that in the SAML Configuration.
Find the screenshot below for reference on downloading the certificate:
To import the Certificate to FortiGate:
In GUI: Go to System -> Certificates -> Import -> Remote Certificate
From CLI:
The default name for an imported remote certificate is 'REMOTE_Cert_<number>'. To make it easier to distinguish from other certificates, it can be renamed in CLI:
Example: rename REMOTE_Cert_1 to Azure_SAML:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.