Technical Tip: SAML authentication failed due to a 'no matching group' error, even though group membership is correctly configured

Common errors during group mismatch in SAML authentication occur if the IDP and SP do not have a matching group name.

In a few cases, the error is thrown as 'no matching group' even if the group name is an exact match.

FortiGate uses the group values provided in the SAML assertion (from the Identity Provider) and compares them against the configured user groups. A mismatch occurs when there is no overlap between what the IdP sends and what FortiGate is configured to recognize.

The commands below can be used to take SAML debug:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application samld -1

diagnose debug enable

To disable debug:

diagnose debug disable

diagnose debug reset

The following is a debug example:

</Attribute><Attribute Name="http://schemas.microsoft.c
om/identity/claims/displayname"><AttributeValue>Test user (Associates)</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"><AttributeValue>beec
2f65-8758-4d94-bc36-0d314cdf0ab6</AttributeValue><AttributeValue>04ff9986-c404-4e66-b927-f0310c894173</AttributeValue><AttributeValue>8b216cbe-5c37-452c-a4c2-6ce98a083a10</AttributeValue>

FortiGate configuration:

config user saml
    edit "AZURE-SSL-VPN"

        set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"  <----- The same as was shown in the debug example.

In some cases, the Azure end may use 'group' as the group-name attribute, so the same value must be configured in the FortiGate SAML settings to ensure proper mapping.

Even if the group-name attribute is the same, the following error is received:

2025-07-28 19:40:05 [5905:root:12179]fsv_saml_auth_group:485 no matching group found.
2025-07-28 19:40:05 [5905:root:12179]fsv_saml_login_resp_cb:253 SAML group mismatch.

In cases like this, the following debug output needs to be verified against FortiGate user group attribute configuration:

samld_send_common_reply [95]: Attr: 10, 89, 'http://schemas.microsoft.com/identity/claims/displayname' 'Test User (Tests)'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'beec2f65-8758-4d94-bc36-0d314cdf0ag6'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '04ff9986-c404-4e66-b927-f0310c894893'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '8b216cbe-5c37-452c-a4c2-6ce98a083ag0'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '3b304cd-5684-4859-a415-8efe0b1b5wt2'

Verify the highlights above against the FortiGate config:

config user group

    edit "Azure_Test_Team"
        set member "AZURE-Test-VPN"
            config match
                edit 1
                    set server-name "AZURE-Test1-VPN"
                    set group-name "360c2e07-ff42-46eb-bb4e-d75c880bd58b"   <----- This attribute value needs to be verified against the above debug group ID claims.

After modifying it to an exact match, SAML authentication is successful and group information is fetched correctly:

samld_send_common_reply [118]: Attr: 10, 37, 'username' 'Test'
samld_send_common_reply [118]: Attr: 10, 48, 'groups' '360c2e07-ff42-46eb-bb4e-d75c880bd58b'
fsv_saml_login_response:480 Got saml username: Test.
fsv_saml_login_response:490 Got group username: 360c2e07-ff42-46eb-bb4e-d75c880bd58b.

Note: Starting with FortiOS v7.2.10, v7.4.8, and v7.6.3, both the SAML assertion and the response must be signed, not just the SAML assertion. Refer to Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

Related article:

Troubleshooting Tip: SAML group mismatch issue in SSL VPN