| Description | This article describes the troubleshooting steps when the users are not able to connect to SSL VPN and FortiClient stops at 40% or when using 'use external browser as user agent for SAML login' enabled on FortiClient it throw an error as the session ends on the browser. |
| Scope | FortiGate. |
| Solution |
When the user enters the credentials with 'use external browser as user agent for SAML login' enabled on FortiClient, an error appears as the session ends on the browser:
Or when try to connect with FortiClient it stops at 40%. On checking the SAML debugs we see the user and group info not found as shown below.
Commands to collect SAML logs:
diagnose debug application sslvpn -1 diagnose debug application samld -1 diagnose vpn ssl debug-filter src-addr4 x.x.x.x <- Public IP address the user connects from. diagnose debug enable
In the debug logs will see the error below:
No group info in SAML response. No user name info in SAML response. Please check saml configuration. SAML response error: 3.
[256:root:45]fsv_saml_login_response:510 No group info in SAML response.
Solution: Azure's attribute/claim information default claim name will be different than the one that should be set on the FortiGate, then above mentioned error will be visible. Make sure to call the group attribute/claim as in the FortiGate.
In FortiGate:
In Azure:
Note: In 'config user saml', if the 'user-name' and 'group-name' are added as below:
config user saml edit "Azure-saml" ... set user-name "username" set group-name "group"
The same must be set on the Azure end under 'Attributes & Claims'. Attributes are case-sensitive and must match on both ends.
Related articles: Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication Technical Tip: Azure SAML group mismatch , getting error '/remote/logoutok' |
