Technical Tip: How to map external-identity-provider user by group ID when it auto-connect Forticlient

This article describes how to identify a user based on group-ID when it auto-connects to FortiClient via external-identity-provider.

This can be verified by running the following command that user is matching both group:

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1

diagnose vpn ssl debug-filter src-addr4 x.x.x.x <-remote user wan IP

diagnose debug application samld -1

diagnose debug enable

2024-11-04 16:08:36 [1117] fnbamd_ext_idp_gen_rsp_data-svr_name:AzureAD2-ext
2024-11-04 16:08:36 [1123] fnbamd_ext_idp_gen_rsp_data-Username xxxx@xx.com
2024-11-04 16:08:36 [1129] fnbamd_ext_idp_gen_rsp_data-Appending group 62004656-xxxxx-xxx-xxxxx
2024-11-04 16:08:36 [1129] fnbamd_ext_idp_gen_rsp_data-Appending group dc754b02-xxxxx-xxxx-xxxx
2024-11-04 16:08:36 [1129] fnbamd_ext_idp_gen_rsp_data-Appending group 7621f08c-xxxx-xxxx-xxxx
2024-11-04 16:08:36 [1623] fnbam_user_auth_group_match-req id: 12503579, server: AzureAD2-ext, local auth: 0, dn match: 0
2024-11-04 16:08:36 [1592] __group_match-Group 'VPNSSL' passed group matching
2024-11-04 16:08:36 [1595] __group_match-Add matched group 'VPNSSL'(7)

2024-11-04 16:08:36 [1592] __group_match-Group 'FortiGateAccess' passed group matching
2024-11-04 16:08:36 [1595] __group_match-Add matched group 'FortiGateAccess'(5)
2024-11-04 16:08:36 [292] find_matched_usr_grps-Passed group matching
2024-11-04 16:08:36 [3003] fnbamd_ext_idp_result-res=0
2024-11-04 16:08:36 [3006] fnbamd_ext_idp_result-Authentication succeeded