Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
btan
Staff
Staff

Created on ‎10-17-2024 01:05 AM Edited on ‎01-06-2025 07:02 AM By Moderator

Article Id 350060

Technical Tip: FortiGate displays FortiClient UID when end users connected to IPsec SAML IKEv2 VPN

Description

This article describes how to resolve the issue whereby FortiGate does not display the Xauth username properly.

Scope

FortiOS 7.2.6 onwards, 7.4.0 and 7.4.1.

IPsec SAML IKEv2 VPN is introduced in FortiClient 7.2.3 and above.

Solution

In FortiGate -> Dashboard -> IPsec Monitor:

FortiGate displays FortiClient UID instead of the actual username under the column 'Xauth User'.

 

Run the command: 

 

diagnose vpn ike gateway list

FortiGate (root) # diagnose vpn ike gateway list

vd: root/0
name: FCT_SAML_
version: 2
interface: vlan5555 55
addr: 5.5.5.5:4500 -> 5.5.5.6:64917
tun_id: 192.168.1.1/::10.0.0.185
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 149s ago
eap-user: 48B5CB6355D24C8C9BA77807C8DB6CB7 <-- It shows FortiClient UID instead of the actual username.

 

Workaround: Make the following change under SSO settings:

config user saml
    edit "<SAML SERVER>"
        set user-name http://schemas.microsoft.com/identity/claims/displayname<- Instead of 'username'.
    next
end

This is a known issue in FortiOS versions below FortiOS 7.4.2.

The solution is to upgrade FortiOS to 7.4.2 to resolve the issue.
Labels:
221
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.