Skip to main content
akushwaha
Staff
akushwaha
Staff
February 12, 2026

Troubleshooting Tip: SAML username not displayed correctly in the firewall authentication list

  • February 12, 2026
  • 0 replies
  • 583 views
Description This article describes an issue where the correct SAML username does not appear in the Firewall authentication list.
Scope FortiGate.
Solution

Core problem:
After SAML SSO succeeds:

The authentication works (access granted, policies match), but the displayed username in FortiGate's authenticated users list is the connecting FortiClient's UID. This often confuses admins monitoring sessions or applying user-based policies/logging.

 

The following is the authentication list output for an authenticated user:

 

diagnose firewall auth list

192.168.192.10, F5A7D248073844F9AE951871D295D29D <----- Username.
type: fw, id: 0, duration: 736, idled: 736
flag(400): ha
packets: in 0 out 0, bytes: in 0 out 0
group_id: 6
group_name: VPN-GROUP

 

192.168.192.11, F5A7D248073844F9AE951871D295D29D <----- Username.
type: fw, id: 0, duration: 292, idled: 292
flag(400): ha
packets: in 0 out 682, bytes: in 0 out 48654
group_id: 6
group_name: VPN-GROUP

----- 2 listed, 0 filtered ------

 

Cause:

The FortiClient UID is used as the username for a VPN connection if FortiGate is not able to read another username from the SAML Response. Usually, this is a result of a mismatch between IdP and FortiGate configuration- the IdP (Azure Entra ID, Okta, etc.) sent the intended username in an attribute that does not match the attribute defined in FortiGate SAML configuration.

 

config user saml

    edit <saml server>

        set user-name 'username' <----- Common FortiOS default.

    next

end

 

Resolution:

 

To view the attributes sent by the IDP in FortiOS, collect a SAML debug of an authentication attempt.

 

Configure the IdP to send the expected attribute as defined on the FortiGate, or modify the FortiGate to use the attribute shown in the SAML debug output. In the example above the FortiOS configuration change to resolve the issue would be as follows:

 

config user saml

edit <saml server>

set user-name 'http://schemas.microsoft.com/identity/claims/displayname'

next

end

 

Afterwards, the username is displayed correctly in the Authentication List:

 

diagnose firewall auth list

192.168.196.11, Test User
type: fw, id: 0, duration: 10, idled: 10
flag(400): ha
packets: in 0 out 0, bytes: in 0 out 0
group_id: 6
group_name: VPN-GROUP

 

Note: If SAML users are able to connect to VPN successfully but never appear in the authentication list, configure the intended user group(s) on firewall policies instead of the VPN phase1-interface. See Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local).
    Terms & ConditionsAccessibility statement