Troubleshooting Tip: Policy with src groups from IDP FortiAuthenticator on-premise, FortiSASE error: 'Found a group with no match setting'
| Description | This article describes how to resolve a scenario where the group-id attributes are not fetched from IDP FortiAuthenticator on-premises, resulting in no hits on Policies with the source group on FortiSASE. |
| Scope | FortiSASE, FortiAuthenticator. |
| Solution | In the FortiSASE policy overview, only the Policy that allows VPN users traffic shows hits. The policy with defined source groups from FortiAuthenticator does not show hits:
In the 'VPN User SSO' section, the SSO configuration test may show the following message, if all is configured correctly: 'Found a group with no match setting'.
In this screenshot, the group attribute is written in uppercase. Keep in mind that FortiSASE handles the group attributes case-sensitive. Best practice is to keep all names and values in lowercase, to avoid confusion.
|
