Description

This article describes how to resolve the issue where, instead of the actual username, FortiClient UID is showing for dial-up connections using FortiAuthenticator as SAML IDP.

Scope

FortiGate, FortiAuthenticator, SAML, Dial-up IPSEC VPN Tunnel.

Solution

Instead of the actual username, FortiClient UID is showing on both FortiClient and FortiGate when using the FortiAuthenticator as SAML IDP.

In FortiClient, once the Tunnel is connected, the 'Username' field shows the UID. In FortiGate, on the IPSEC Monitor Dashboard, instead of the username in 'Xauth User', the FortiClient UID will be shown.

On SAML debugs, no username assertion can be seen as being sent from the IDP.

diagnose debug reset
diagnose debug console timestamp enable

diagnose debug application fnbamd -1
diagnose debug application samld -1
diagnose debug application eap_proxy -1
diagnose debug enable

This issue can occur when 'Assertion Attributes' are not being configured correctly or not configured at all on the FortiAuthenticator SP settings (Authentication -> SAML IdP -> Service Providers).

Also, the configuration on FortiAuthenticator should match the FortiGate IDP configuration (User & Authentication -> Single Sign-On -> IDP -> Additional SAML Attributes): 

The attribute used to identify users = SAML attribute for 'Username' on FortiAuthenticator. The attribute used to identify groups = SAML attribute 'Group' on FortiAuthenticator.

After the Assertion Attributes have been configured on FortiAuthenticator, it will be sent over to the FortiGate during the authentication, and FortiGate will be able to recognize the user based on the actual Username.

This can also be verified on the SAML debug log.