Created on
‎02-16-2022
11:24 PM
Edited on
‎03-06-2025
11:35 PM
By
Jean-Philippe_P
Description
The article describes a scenario when the group-id attributes are not fetched from Azure, resulting in a group mismatch.
Solution
diagnose vpn ssl debug-filter src-addr < User Public IP >
diagnose debug application samld -1
diagnose debug application sslvpn -1
diagnose debug enable
- Here the samld reply for the group is not fetching the attribute value.
- Upon validating the configuration in the Azure portal, under 'Users Attributes & Claims' similar to the configuration of adding 'new claim' for 'username' to define the attribute. Here the 'group' was also configured with 'source attribute' as 'user.groups'.
- Deleted the existing claim name 'group' and added a 'group claim', here it is possible to associate the users and add the name 'group' (matching the group-name set in FortiGate).
Now run the debug again, once the attribute details are fetched as highlighted and the group-id will be matched.
Sample configuration on FortiGate.
config user saml
edit "azure"
set cert "Fortinet_Factory"
set entity-id "https://example.com:10443/remote/saml/metadata"
set single-sign-on-url "https://example.com:10443/remote/saml/login"
set single-logout-url "https://example.com:10443/remote/saml/login"
set idp-entity-id "https://sts.windows.net/2fe6762b-2c15-4a51-9779-d487e594fbaf/"
set idp-single-sign-on-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
next
end
config user group
edit "FortiGateAccess"
set member "azure"
config match
edit 1
set server-name "azure"
set group-name "13da2f27-763e-4931-8b5a-ae5065364e6b"
next
end
next
Note:
The same behavior can occur while having the correct 'group-name' value in 'user group' and in 'user saml'. If there is more than one 'Authentication Rules' on the SSL VPN setting without the corresponding firewall policy FortiGate will flag this as a 'mismatch'.
Related documents:
Troubleshooting Tip: SAML group mismatch issue in SSL VPN
Configure group claims for applications by using Microsoft Entra ID