Description
The article describe a scenario when the group-id attributes are not fetched from Azure, resulting in group mismatch.
Solution
# diagnose vpn ssl debug-filter src-addr < >
# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable
- Here the samld reply for group is not fetching the attribute value.
- Upon validating the configuration in azure portal, Under 'Users Attributes & Claims' similar to the configuration of adding 'new claim' for 'username' to define the attribute. Here the 'group' was also configured with 'source attribute' as 'user.groups'.
- Deleted the existing claim name 'group' and added a 'group claim', here we can associate the users and add name 'group' (matching to the group-name set in FortiGate).
Now run the debug again, once the attribute details are fetched as highlighted and the group-id will be matched.
Sample configuration on FortiGate.
# config user sam
edit "azure"
set cert "Fortinet_Factory"
set entity-id "https://example.com:10443/remote/saml/metadata"
set single-sign-on-url "https://example.com:10443/remote/saml/login"
set single-logout-url "https://example.com:10443/remote/saml/login"
set idp-entity-id "https://sts.windows.net/2fe6762b-2c15-4a51-9779-d487e594fbaf/"
set idp-single-sign-on-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/2fe6762b-2c15-4a51-9779-d487e594fbaf/saml2"
set idp-cert "REMOTE_Cert_1"
set user-name "username"
set group-name "group"
next
end
# config user grou
edit "FortiGateAccess"
set member "azure"
# config matc
edit 1
set server-name "azure"
set group-name "13da2f27-763e-4931-8b5a-ae5065364e6b"
next
end
next
References.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.