Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
VinayHM
Staff
Staff

Created on ‎01-30-2025 01:51 AM Edited on ‎01-30-2025 01:56 AM By Community Manager

Article Id 373551

Technical Tip: G Suite MFA using SAML and SSO is not connecting as username in the config mismatch

Description This article describes the reason for FortiClient getting stuck at 48% with G Suite MFA using SAML and SSO not connected as username in the config mismatch.
Scope FortiGate.
Solution

In the SAML settings, type the below commands:

 

config user saml

    edit "gsuite-sslvpn"

        set cert "Fortinet_Factory"
        set entity-id "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/metadata/"
        set single-sign-on-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/login/"
        set single-logout-url "https://<FGT-pub-IP>:<port-ssl-vpn>/remote/saml/logout/"
        set idp-entity-id "https://accounts.google.com/o/saml2?idpid="
        set idp-single-sign-on-url "https://accounts.google.com/o/saml2/idp?idpid="

        set idp-single-logout-url "https://accounts.google.com/logout" 
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"  <-- Called username here, In the Google admin it is email.
        set group-name "group" --> Optional.
        set digest-method sha1

    next

end

 

The logs give errors below:

 

[352:root:2585]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[352:root:2585]req: /remote/info
[352:root:2585]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
[352:root:2585]capability flags: 0x3cdf
[352:root:2585]req: /remote/saml/login
[352:root:2585]Transfer-Encoding n/a
[352:root:2585]Content-Length 6171
[352:root:2585]readPostEnter:19 Post Data length 6171.
[352:root:2585]fsv_rmt_saml_login_cb:100 SAML resp 6080.
[352:root:2585]fsv_rmt_saml_login_cb:111 magic id: magic=1-737182982777f1e2
[352:root:2585]fsv_rmt_saml_login_cb:138 idx 1 epoch: 737182982777f1e2
[352:root:2585]stmt: email  <-----
[352:root:2585]fsv_saml_login_response:694 No group info in SAML response.  <----------
[352:root:2585]fsv_saml_login_response:700 No user name info in SAML response. Please check saml configuration.  <-----
[352:root:2585]fsv_saml_login_resp_cb:244 SAML response error: 4.
[352:root:2585]saml login [352:9605] SAML_ERROR: SAML response error 4
[352:root:2585]Timeout for connection 0x7fac854800.

 

Solution:

The username and email should be the same on FortiGate and Google:

 

config user saml

    set user-name "email"  <-- In the Google Attributes, it is called 'email'.

end

 

asas.png
172
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.