Troubleshooting Tip: User is not able to connect to FortiClient EMS using the invitation code with SAML verification scope

Description

This article describes how to troubleshoot if the user is unable to connect to FortiClient EMS using invitation code with SAML verification.

Scope

FortiClient EMS, FortiClient, Invitation.

Solution

Context:

When an end user attempts to connect FortiClient to FortiClient EMS using an invitation code configured with Verification Type: SAML, the browser authentication may complete successfully, but FortiClient displays the following error message:

You have been authenticated successfully but you are not authorized to connect to EMS. Please notify your EMS Administrator for assistance.

At the same time, the SAML authentication logs may show that the sign-in attempt was successful.

This behavior usually indicates that the SAML authentication itself succeeded, but FortiClient EMS is unable to validate or match the authenticated user correctly against the synchronized domain information.

Solution:

Troubleshooting steps.

First, verify that the authentication server configured in FortiClient EMS is reachable and functioning correctly.

Navigate to: FortiClient EMS Console -> Administration -> Authentication Servers.

Test the connectivity between FortiClient EMS and the authentication server.

Next, verify the domain synchronization status.

Navigate to: FortiClient EMS Console -> Endpoints -> Manage Domains.

Check the last synced time of the affected domain.

If the domain synchronization timestamp is outdated or has not synchronized recently, perform a manual domain synchronization.

After the synchronization completes and the timestamp is updated, retry the telemetry connection using the same invitation code.