In some cases, namespaces are configured by default for username and group claims on Azure for SAML configuration.

While configuring attributes (username and group) on Fortigate for SAML configuration, make sure to check the attributes and claims first on Azure.

If the username and group claims on Azure have a namespace in them by default, it is necessary to either use the same namespace ending it with the name of the claim configured on Azure and copy it on FortiGate as shown below or remove the namespace for that particular attribute from Azure.

For example:

• In this case, the name of the username claims on Azure is 'username' and the namespace for it is: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'.

• The username attribute will now be configured on FortiGate as: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/username'.
• Consider doing the same thing for group claims and group attributes.

Note:

If the namespace is not required, remove it from Azure and simply use the name of the username claims as shown above.

Related documents:

Technical Tip: Create SSL VPN with Azure SAML SSO Authentication, optional multiple SSL VPN RealmsTechnical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML ...