Populating Fortigate User Groups from Domain User Groups, LDAP and/or FSSO.

Fortigate 80F 6.4.10

I have LDAP working on the domain DCs and, I believe, I have FSSO also working (but now I'm not sure why).

The objective is to set up domain user groups as usual - and use those as user groups in the Fortigate.

Then any changes in users and organization would flow from the domain settings into the Fortigate.

That's the idea.

There's been good progress with this and it appears that I've actually been focused on LDAP.

If I look at User Definition, I see Type=LDAP, Status=Enabled and Groups is empty!

In User Groups, I have a Group Name list that consists of both "Firewall" and "Fortinet FSSO" entries.

The Firewall entries show Members as the DC names.

The FSSO entries show Members as CN=[domain user group name],OU=xxx,OU=yyy, DC=localname,DC=domain,DC=com.

I don't know why I should care which format is used as long as we can meet our objective.

I only mention this because it may affect which of these group types might be selected or used getting to Users on the Fortigate.

So now, I would think that the User definition would include all the Group memberships under "Groups" .. but it doesn't.  
I believe that, at one point, I added a Domain User Group of All Users and the Fortigate User Definition table showed this for each user under Groups.  That seemed right.  

I can see that one can manually add a User to a Group on the Fortigate.  But that defeats the purpose of using domain user groups.

What am I missing?