Skip to main content
sjoshi
Staff
sjoshi
Staff
February 4, 2025

Troubleshooting Tip: User Group Matching Issues in FortiSASE SIA Policies with Azure SSO Integration

  • February 4, 2025
  • 0 replies
  • 1499 views
Description

 

This article describes how to process for resolving user group matching issues in FortiSASE when integrating with Azure SSO.

 

Scope

 

FortiSASE and Entra ID SSO authentication.

 

Solution

 

Azure Entra ID is set up on FortiSASE for VPN SSO. The user can connect the VPN but does not match the user group defined on the FortiSASE. On FortiSASE let's say Test, Test2 user group is defined based on Azure object ID and once the user connects the VPN then it should match the respective group and match the correct SIA policy as per the user group.

 

12.PNG

 

SIA policy on the FortiSASE is set as below, so if the user does not match any of the groups, then it matches the default implicit policy, and the traffic will be blocked

 

12.PNG

 

The user-based policy is not getting triggered (0 hit count), and bytes for implicit denial are being hit, causing the traffic to be denied.

 

On the SSL/SAML debug:

 

samld_send_common_reply [95]: Attr: 10, 99, 'http://schemas.microsoft.com/identity/claims/tenantid' '25bd9be1-1337-46d2-ae0c-b5cd065ff0b8'
samld_send_common_reply [95]: Attr: 10, 107, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '10d42dad-3a7f-4a74-ba47-1abd2e61519d'
samld_send_common_reply [95]: Attr: 10, 83, 'http://schemas.microsoft.com/identity/claims/displayname' 'User One'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '3805a821-cc15-4350-9677-33ecd7643041'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '6780fc2f-042e-487e-aae8-cc50f206cf12'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'b5af0637-d047-4f16-ba82-83c547745511'
samld_send_common_reply [95]: Attr: 10, 132, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/25bd9be1-1337-46d2-ae0c-b5cd065ff0b8/'
samld_send_common_reply [95]: Attr: 10, 146, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
samld_send_common_reply [95]: Attr: 10, 117, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/claims/multipleauthn'
samld_send_common_reply [95]: Attr: 10, 80, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'User'
samld_send_common_reply [95]: Attr: 10, 77, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'One'
samld_send_common_reply [95]: Attr: 10, 87, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'user@abc.com'
samld_send_common_reply [95]: Attr: 10, 79, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'user1@abc.com'
samld_send_common_reply [95]: Attr: 10, 29, 'username' 'user1@abc.com'

 

samld_send_common_reply [119]: Sent resp: 18594, pid=2992, job_id=1706.
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_PROCESS_LOGIN_RESPONSE: Processing login response
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/tenantid
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/displayname
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

2024-11-27 12:37:11 [2992:root:6aa]stmt: username
2024-11-27 12:37:11 [2992:root:6aa]fsv_saml_login_response:678 Got saml username: user1@abc.com.
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_RESPONSE_USER: 'user1@abc.com'
2024-11-27 12:37:11 [2992:root:6aa]fsv_saml_login_response:721 No group info in SAML response. >> it is not matching any of the group from the Azure side
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_RESPONSE_GROUP: Not available

 

2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_WARN: Found a group with no match setting: 'VPN_SSO_AUTH_GROUP' >> it is matching the local group and that is why the SIA user based policy is not matching

 

The group name attribute on the Azure side is 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'.

 

Verify the attribute configured on the FortiSASE side. Go to Configuration -> VPN User SSO.

 

2131.PNG

 

Solution:

The attribute value for the group name on FortiSASE and Azure does not match, causing the correct user group to fail to align.

Changing the Group Name attribute to 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' on the FortiSASE side resolves the issue.

    Terms & ConditionsAccessibility statement