Skip to main content
MichaelTorres
Staff
MichaelTorres
Staff
August 25, 2025

Troubleshooting Tip: VPN IKEv2 SAML login with no user group

  • August 25, 2025
  • 0 replies
  • 747 views
Description

This article describes a behavior where users correctly authenticate against a VPN IPSEC but there are no group information in the login.
Scope FortiGate v7.4.7.
Solution

Users correctly configure the SAML connector:

 

config user saml

    edit "IPsec-SAML"

        set cert "Fortinet_Factory"

        set entity-id "https://remote...de01:10428/remote/saml/metadata"

        set single-sign-on-url "https://remote...de01:10428/remote/saml/login"

        set single-logout-url "https://remote...de01:10428/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/f1a72219-.../"

        set idp-single-sign-on-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-cert "REMOTE_Cert_2"

        set user-name "username"

        set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

        set digest-method sha1

    next

 

Users also create both groups, with object ID restriction and the global group:

 

config user group

    edit Specific_Group

        set member IPsec-SAML

            config match

                edit 1

                    set server-name IPsec-SAML

                    set group-name <object ID>

                next

            end

        next

 

edit "Global-group"

    set member "IPsec-SAML"

next

end

 

config vpn ipsec phase1-interface

    edit "VPN_TEST"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set ipv4-dns-server1 172.17.60.6

        set ipv4-dns-server2 8.8.8.8

        set eap-identity send-request

        set authusrgrp "Global-group" 

        set psksecret 11111111

        set dpd-retryinterval 60

    next

 

Although users configure the specific group in the Firewall policy, the login is successful, but it does not retrieve any group information:

 

config firewall policy

    edit 117

        set name "VPN_TEST -> LAN"

        set srcintf "VPN_TEST

        set dstintf "port3"

        set action accept

        set srcaddr "IPSec_Tunnel_Addr1"

        set dstaddr "LAN2_port3 address"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "Specific_Group"

    next

 

Solution:

In the VPN settings, remove the global user group information configured in the 'authusrgrp' parameter:

 

config vpn ipsec phase1-interface

    edit "VPN_TEST"

        unset authusrgrp

    end

end
      Terms & ConditionsAccessibility statement