Technical Tip: Hiding Group membership details from browser after SAML login success

When integrating FortiAuthenticator with Microsoft Entra ID (formerly Azure AD) or other SAML Identity Providers, users connecting to wireless SSIDs get redirected to the IdP for authentication.

After a user successfully authenticates through SAML SSO, the browser is redirected to the FortiAuthenticator SAML Service Provider success page. By default, this page not only confirms successful login but also displays attributes passed from the Identity Provider (IdP), including group memberships, device IP address, and username.

This detailed information can be used for troubleshooting or administrative review, but in production environments, it is often unnecessary and should be hidden to ensure a cleaner and more secure user experience.

To remove or customize what is displayed in the browser:

1. Log in to the FortiAuthenticator GUI.

2. Navigate to: System -> Administration -> Replacement Messages.

3. Locate the message type: SAML SP Login Success Page.

4. Edit the message to suppress or customize the attributes shown to end users.
                                                                                                                  

The lines below can be edited out of the HTML code to hide group membership details:

<div id="group_info">
<i class="fa-2x fa-solid fa-people-group"></i>
<br />
Group membership:<br/>
<span id="group">{{:sso_groups}}</span>
</div>

After applying this change, the post-login success page will only display the customized confirmation message (e.g., 'Login successful'), and group membership details will not be displayed.