Description | This article describes a scenario where group matching for SSL VPN authentication on FortiGate was not functioning correctly with DUO SAML for multiple Active Directory groups. |
Scope | FortiGate. |
Solution |
Since DUO does not provide an Object ID like Azure SAML, performing this is recommended; otherwise, results in the debug log will indicate that there was no group attribute in the DUO SAML response: [304:root:c58]fsv_saml_auth_group:324 find a group with no match setting: Saml_DUO, portal: SSL VPN-Admin.
DUO Support confirmed that there is no need to define group matching explicitly, as long as the Group Membership Attribute (Group Name textbox) matches the group name defined in FortiGate.
In the screenshot above, the 'example_group' should match the group name in FortiGate, and the Group Match should be set to 'Any'.
However, it is crucial to use the DUO Fortinet Application template specifically designed by DUO for Fortinet, rather than the generic DUO application template mentioned in this article: Fortinet Technical Tip on SAML SSL-VPN with DUO. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.