Technical Tip: Captive portal with SAML for wifi users not connecting with error 'Firewall Authentication Failed'

When connecting to the WiFi SSID and trying to access the captive portal page with SAML authentication, the page gets redirected but gives the error 'Firewall Authentication Failed':

This happens because of the mismatch between the User group ID in FortiGate and Azure.

This can also be verified with the following SAML debugs:

diagnose debug console timestamp enable
diagnose debug application samld -1
diagnose debug enable

Stop the debug processes after collecting the output by using the following commands:

diagnose debug disable

diagnose debug reset

As a solution, make sure the group ID is the same on FortiGate and Azure, as shown below:

Alternatively, it can also be edited through the CLI:

Note:
If the issue is observed after upgrading to v7.2.12, v7.4.9, or v7.6.4 with the error 'Signature element not found' from SAML debug, refer to this document for more information: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

Related documents:

• Captive portal authentication using SAML credentials 
  
• Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP
• Technical Tip: Wireless Authentication using SAML Credentials and Azure as IdP 
• Technical Tip: FortiGate Wi-Fi configuration with Google SAML authentication and how to troubleshoot it