Troubleshooting Tip: SAML IPsec VPN Authentication fails with "Failed group matching" due to group buffer limits

This article describes a known issue where IPsec remote access VPN users using SAML authentication fail to connect despite having the correct group memberships.

When running the recommended debugs for VPN and authentication troubleshooting:

diagnose debug reset
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application ike -1
diagnose debug application authd 7
diagnose debug console time enable
diagnose debug enable

The IdP assertion may correctly show the user's groups (e.g., Group_8 and Group_9:(

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">     <AttributeValue>Group_8</AttributeValue>     <AttributeValue>Group_9</AttributeValue> </Attribute>

However, during the group composition stage, the FortiGate processes groups based on the order they are applied in firewall policies. If the internal buffer limit is reached, the list is truncated before it reaches the groups the user belongs to, resulting in a 'Failed group matching' error:

2026-02-12 12:07:10 [489] __compose_group_list_from_req-Group ‘Group_1', type 1 2026-02-12 12:07:10 [489] __compose_group_list_from_req-Group ‘Group_7', type 1 <-- List truncated here due to buffer limit --> 2026-02-12 12:07:10 [1623] fnbam_user_auth_group_match-req id: 111111, server: saml-server, local auth: 0, dn match: 0 2026-02-12 12:07:10 [1994] handle_req-Failed group matching

FortiGate, FortiClient EMS.