FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rtanagras
Staff
Staff
Article Id 365120
Description This article describes a scenario where group matching for SSL VPN authentication on FortiGate was not functioning correctly with DUO SAML for multiple Active Directory groups.
Scope FortiGate.
Solution

Since DUO does not provide an Object ID like Azure SAML, performing this is recommended; otherwise, results in the debug log will indicate that there was no group attribute in the DUO SAML response:

[304:root:c58]fsv_saml_auth_group:324 find a group with no match setting: Saml_DUO, portal: SSL VPN-Admin.
[304:root:c58]saml login [304:3160] SAML_WARN: Found a group with no match setting: 'Saml_DUO'

 

DUO Support confirmed that there is no need to define group matching explicitly, as long as the Group Membership Attribute (Group Name textbox) matches the group name defined in FortiGate.

 

2024-12-17 13 36 48.jpg

 

In the screenshot above, the 'example_group' should match the group name in FortiGate, and the Group Match should be set to 'Any'.

2024-12-17 13 39 03.jpg

 

However, it is crucial to use the DUO Fortinet Application template specifically designed by DUO for Fortinet, rather than the generic DUO application template mentioned in this article: Fortinet Technical Tip on SAML SSL-VPN with DUO.

Contributors