Technical Tip: Understanding SAML attributes

SAML (Security Assertion Markup Language) attributes are data elements included in a SAML authentication assertion that provide information about the authenticated user.

These attributes contain details such as the user's identity, roles, permissions, and other relevant information.

They are commonly used in Single Sign-On (SSO) and identity federation systems to enable seamless authentication and authorization.

The authentication of the user is successful only when the attribute name matches on the FortiGate and on the IDP end, which will be sent in the assertion from the IDP.

For example, the attributes configured on the FortiGate are shown below:

The same attributes should come in the SAML assertions from the IDP when the user is authenticated; if not, the authentication will fail.

SAML debug logs mentioned below can be taken from the FortiGate :

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug application samld -1

samld_send_common_reply [101]: Attr: 17, 31, magic=01090d809aa7a746
samld_send_common_reply [101]: Attr: 18, 29, 2025-12-18T09:17:49Z
samld_send_common_reply [98]: Attr: 10, 26, 'username' 'testuser'
samld_send_common_reply [98]: Attr: 10, 23, 'group' 'testuser'

To disable debugging:

diagnose debug disable
diagnose debug reset

The response from the IDP and attributes are matching as configured on the FortiGate. 

Related article: