The settings below seem to be correct, with the FortiGate SP matching the FortiAuthenticator IDP group attribute.

config user saml

    edit "faccldfgt"

        set cert "Fortinet_Factory"

        set entity-id "https://10.191.19.149:44444/remote/saml/metadata"

        set single-sign-on-url "https://10.191.19.149:44444/remote/saml/login"

        set single-logout-url "https://10.191.19.149:44444/remote/saml/logout"

        set idp-entity-id "http://fac.local/saml-idp/faccldfgt/metadata/"

        set idp-single-sign-on-url "https://fac.local/saml-idp/faccldfgt/login/"

        set idp-single-logout-url "https://fac.local/saml-idp/faccldfgt/logout/"

        set idp-cert "faccldfgt"

        set user-name "user"

        set group-name "group"

        set digest-method sha1

    next

end

1. Despite this, the debug shows no group info and SSL VPN fails to connect. The user is signed out immediately after login.

...

diag debug cons timestamp enable
diag debug app saml -1
diag debug app sslvpn -1
diag debug enable

...

samld_send_common_reply [122]: Attr: 17, 27, magic=ad3cf73b6f7f05a5
samld_send_common_reply [118]: Attr: 10, 18, 'user' 'testuser'
samld_send_common_reply [122]: Attr: 11, 1114, <--- SAML Request URL.
2023-07-31 14:58:40 [190:root:1fc]stmt: user
2023-07-31 14:58:40 [190:root:1fc]fsv_saml_login_response:480 Got saml username: testuser.
2023-07-31 14:58:40 [190:root:1fc]fsv_saml_login_response:510 No group info in SAML response.
2023-07-31 14:58:40 [190:root:1fc]fsv_saml_login_resp_cb:173 SAML group mismatch.
fortigate (root) # 2023-07-31 14:58:47 [190:root:1fc]req: /remote/saml/logout?SAMLResponse=3VhZk6N
2023-07-31 14:58:47 [190:root:1fc]fsv_rmt_saml_logout_cb:35 got SAML logout request.

...

Make sure the user and group user attributes match the server type set in the realm.
In the broken example above, the user attribute is set to Remote LDAP Server, Group, and the message No group info in SAML response is received.
This is incorrect, as the IdP realm is set to local. 

The correct user attribute is FortiAuthenticator, Group.
After changing the attribute to the correct value, group info is received. Because the group matches, SSL-VPN connects.

...
samld_send_common_reply [122]: Attr: 17, 27, magic=4e84e3f0c7c5aa35
samld_send_common_reply [118]: Attr: 10, 18, 'user' 'testuser'
samld_send_common_reply [118]: Attr: 10, 20, 'group' 'testgroup'
samld_send_common_reply [118]: Attr: 10, 21, 'group' 'testgroup2'
samld_send_common_reply [122]: Attr: 11, 1120, <SAML request URL>
2023-07-31 16:58:17 [190:root:200]stmt: user
2023-07-31 16:58:17 [190:root:200]fsv_saml_login_response:480 Got saml username: testuser.
2023-07-31 16:58:17 [190:root:200]stmt: group
2023-07-31 16:58:17 [190:root:200]fsv_saml_login_response:490 Got group username: testgroup.
2023-07-31 16:58:17 [190:root:200]stmt: group
2023-07-31 16:58:17 [190:root:200]fsv_saml_login_response:490 Got group username: testgroup2.
2023-07-31 16:58:17 [190:root:200]fsv_saml_auth_group:311 find a remote match group: testgroup, portal: full-access, group: saml-faccldfgt1.
...

2. When using an LDAP remote server in the realm, group info might be missing due to an incorrect group filter set on FortiGate: set group-name "Users".

samld_send_common_reply [95]: Attr: 10, 22, 'username' 'test'
samld_send_common_reply [95]: Attr: 10, 55, 'group' 'CN=Users,CN=Builtin,DC=bogusinc,DC=local'

In this example, the correct and complete group value is CN=Users,CN=Builtin,DC=bogusinc,DC=local not Users as configured on FortiGate.

fortigate (root) # show user group FAC-SAML-LDAP-LAB
config user group
    edit "FAC-SAML-LDAP-LAB"
        set member "fgtlab149-sslvpn"
            config match
                edit 3
                    set server-name "fgtlab149-sslvpn"
                    set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"
                next

3. Similar issues can be seen when FortiAuthenticator is a proxy for Azure/Entra.

Despite having the correct configuration, the auth is still failing with no group info.

config user saml
    set user-name "username"
    set group-name "groups"

fortigate (test-vdom) # show user group fac_fgt149.44433_saml
config user group
    edit "fac_fgt149.44433_saml"
        set member "fgt14944433"
            config match
                edit 1
                    set server-name "fgt14944433"
                    set group-name "69e69f0a-1eca-4d83-8d91-47c6436b8143"
                next

FortiGate debug should show why this is failing:

samld_send_common_reply [95]: Attr: 10, 34, 'user' 'test.user@acmeinc.net'
2025-03-28 13:10:30 [2099:test-vdom:1107]fsv_saml_auth_group:488 no matching group found.

But in FortiAuthenticator GUI debug group info from Azure/Entra can be seen:

https://<FortiAuthenticatorIp>/debug/gui/

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<AttributeValue>69e69f0a-1eca-4d83-8d91-47c6436b8143</AttributeValue>
</Attribute>

<Attribute Name="username">
<AttributeValue>test.user@acmeinc.net</AttributeValue>
</Attribute>

If there is no access to Azure/Entra to configure a group claim 'groups' as the FortiGate is expecting in this example, then the FortiAuthenticator can be instructed to look for another claim to extract and pass on group info to the FortiGate.

In the corresponding SP config on the FortiAuthenticator, add/change the group claim as below and use in the Custom field the group claim received from Azure/Entra:

http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Now the auth should work; the FortiGate is receiving the group info:

samld_send_common_reply [95]: Attr: 10, 38, 'username' 'test.user@acmeinc.net'
samld_send_common_reply [95]: Attr: 10, 52, 'groups' '69e69f0a-1eca-4d83-8d91-47c6436b8143'
2025-03-28 13:44:54 [2099:test-vdom:110e]saml login [2099:4366] SAML_WARN: Found a remote match group.'69e69f0a-1eca-4d83-8d91-47c6436b8143' matches group 'fac_fgt149.44433_saml'