Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Patterson
Staff
Staff

Created on ‎02-16-2022 11:24 PM Edited on ‎03-06-2025 11:35 PM By Moderator

Article Id 204991

Technical Tip: Azure SAML group mismatch , getting error '/remote/logoutok'

Description

 

The article describes a scenario when the group-id attributes are not fetched from Azure, resulting in a group mismatch.

 
Scope
 
Once the user tries to log in via Web SSL VPN, post fetching the username and password user is immediately presented with 'Session Ended' in the browser getting error '/remote/logoutok'.

 

Patterson_0-1645072365368.png

 

Solution

 

To troubleshoot the SAML login process, the following debug can be collected while the user tries to log in:
 

diagnose vpn ssl debug-filter src-addr < User Public IP >

diagnose debug application samld -1
diagnose debug application sslvpn -1
diagnose debug enable

 

Patterson_1-1645073053653.png

 

  • Here the samld reply for the group is not fetching the attribute value.
  • Upon validating the configuration in the Azure portal, under 'Users Attributes & Claims' similar to the configuration of adding 'new claim' for 'username' to define the attribute. Here the 'group' was also configured with 'source attribute'  as 'user.groups'.
  • Deleted the existing claim name 'group' and added a 'group claim', here it is possible to associate the users and add the name 'group' (matching the group-name set in FortiGate). 

 

Patterson_2-1645074658575.png

 

Now run the debug again, once the attribute details are fetched as highlighted and the group-id will be matched.  

 

Patterson_3-1645075082584.png

 

Sample configuration on FortiGate.

 

config user saml
    edit "azure"
        set cert "Fortinet_Factory"
        set entity-id "https://example.com:10443/remote/saml/metadata"
        set single-sign-on-url "https://example.com:10443/remote/saml/login"
        set single-logout-url "https://example.com:10443/remote/saml/login"
        set idp-entity-id "https://sts.windows.net/2fe6762b-2c15-4a51-9779-d487e594fbaf/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
    next
end

 

config user group
    edit "FortiGateAccess"
        set member "azure"
            config match
                edit 1
                    set server-name "azure"
                    set group-name "13da2f27-763e-4931-8b5a-ae5065364e6b"
                next
            end
    next

 

Note:

The same behavior can occur while having the correct 'group-name' value in 'user group' and in 'user saml'. If there is more than one 'Authentication Rules' on the SSL VPN setting without the corresponding firewall policy FortiGate will flag this as a 'mismatch'.

 

Related documents:

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...

Troubleshooting Tip: SAML group mismatch issue in SSL VPN

Configure group claims for applications by using Microsoft Entra ID

Labels:
19168
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.