Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Patterson
Staff
Staff

Created on ‎02-16-2022 11:24 PM Edited on ‎02-16-2022 11:26 PM By Community Manager

Article Id 204991

Technical Tip: Azure SAML group mismatch , getting error '/remote/logoutok'

Description

 

The article describe a scenario when the group-id attributes are not fetched from Azure, resulting in group mismatch.

 
Scope
 
Once the user tries to login via Web SSL-VPN, post fetching the username and password user is immediately presented with 'Session Ended' in the browser getting error '/remote/logoutok'.

 

Patterson_0-1645072365368.png

 

Solution

 

To troubleshoot the SAML login process, following debug can be collected while the user tries to logging in:
 

# diagnose vpn ssl debug-filter src-addr < >

# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable

 

Patterson_1-1645073053653.png

 

- Here the samld reply for group is not fetching the attribute value.

 

- Upon validating the configuration in azure portal, Under 'Users Attributes & Claims' similar to the configuration of adding 'new claim' for 'username' to define the attribute. Here the 'group' was also configured with 'source attribute'  as 'user.groups'.

 

- Deleted the existing claim name 'group' and added a  'group claim', here we can associate the users and add name 'group' (matching to the group-name set in FortiGate). 

 

Patterson_2-1645074658575.png

 

Now run the debug again, once the attribute details are fetched as highlighted and the group-id will be matched.  

 

Patterson_3-1645075082584.png

 

Sample configuration on FortiGate.

 

# config user sam
    edit "azure"
        set cert "Fortinet_Factory"
        set entity-id "https://example.com:10443/remote/saml/metadata"
        set single-sign-on-url "https://example.com:10443/remote/saml/login"
        set single-logout-url "https://example.com:10443/remote/saml/login"
        set idp-entity-id "https://sts.windows.net/2fe6762b-2c15-4a51-9779-d487e594fbaf/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
    next
end

 

# config user grou
    edit "FortiGateAccess"
        set member "azure"
# config matc
    edit 1
        set server-name "azure"
        set group-name "13da2f27-763e-4931-8b5a-ae5065364e6b"
    next
end
next

 

References.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/t...

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SAML-group-mismatch-issue-in-SSL-VPN...

 

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims

Labels:
13660
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.