Technical Tip: The SAML authentication fails with the error log 'Missing user-name' in event logs

RBA · ‎09-23-2024

Description

This article describes how to fix the SAML authentication issue when it fails with the error log 'Missing user-name' in the event logs.

Scope

FortiGate.

Solution

The log appears as follows in the GUI:

The issue arises when the username attribute is not properly configured.

The configuration in this scenario looks like the following, with username set to givenname.

config user saml
edit Azure_SAML_LAN
set entity-id http://172.16.24.159:1003/remote/saml/metadata/
set single-sign-on-url https://172.16.24.159:1003/remote/saml/login
set single-logout-url https://172.16.24.159:1003/remote/saml/logout
set idp-entity-id https://sts.windows.net/75bbdef3-f807-41bc-8069-6a3080d764d3/
set idp-single-sign-on-url https://login.microsoftonline.com/75bbdef3-f807-41bc-8069-6a3080d764d3/saml2
set idp-single-logout-url https://login.microsoftonline.com/75bbdef3-f807-41bc-8069-6a3080d764d3/saml2
set idp-cert REMOTE_Cert_1
set user-name givenname
set group-name group
set digest-method sha1
next
end

Configure SAML attribute username/name with the value user.userprincipalname:

Add it under FortiGate SAML config and make sure it matches between IDP and SP.

The username attribute must match the Username Attributes & Claims in the Azure portal and on the FortiGate SAML configuration. When the claim name has been modified, the schema format will be automatically added to the claim name.

Related documents:

SAML SSO configuration from Web GUI

Technical Tip: How to read SAML Debug output

Configure FortiGate SSL VPN for Single sign-on with Microsoft Entra ID

Technical Tip: The SAML authentication fails with the error log 'Missing user-name' in event logs

You are leaving our website