Description

This article describes how to resolve an issue when FortiAuthenticator fails to generate SSO sessions sourced from a third-party Syslog server.

Scope

FortiAuthenticator v6.6.6+, FortiGate.

Solution

FortiAuthenticator can read usernames and IP addresses contained in syslog messages sent by third parties, then forward this data to FSSO so FortiGate can apply identity-based policies.

In this scenario, FortiAuthenticator is configured to parse SSL VPN login events received as syslog messages from the FortiGate. The FortiGate, in turn, obtains its SSL VPN logon events from Azure.

However, even if the syslog messages arrive successfully at FortiAuthenticator, the associated SSO session may still be missing under: Monitor -> SSO -> SSO Sessions.

Successful debug example:

10/29/2025 12:01:57 Extracted IP based on 'tunnelip={{:client_ip}} ': 10.17.10.10
10/29/2025 12:01:57 Combined IP: 10.17.10.10

10/29/2025 12:01:57 Failed to extract IPv6 based on '(null)'
10/29/2025 12:01:57 Extracted user based on 'user="{{:username}}" ': test1.name@fortitest.lab
10/29/2025 12:01:57 Login from '10.17.10.10' (IPv6=''), user 'test1.name@fortitest.lab', group ''

In the above example, the username appears in UPN format, while FortiAuthenticator—by default—expects the username in sAMAccountName format.

To allow FortiAuthenticator to create Syslog SSO sessions using UPN usernames, enable the following option and specify the correct attribute:

Navigate to: Fortinet SSO -> Methods -> Syslog -> Syslog Resources.

Enable the option:

• Use a different attribute when searching for the user in the remote LDAP server (other than the username attribute in the remote LDAP server config).

Then set:

• Remote LDAP user attribute: userPrincipalName.

After specifying the correct username attribute, the SSL VPN syslog-based SSO sessions will appear properly in the SSO session monitor.

Related document:
Syslog