Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Chinmay_Sagade
Staff
Staff

Created on ‎05-08-2025 05:15 AM Edited on ‎05-29-2025 11:51 PM By Community Manager

Article Id 388482

Troubleshooting Tip: SAML Authentication: No group info in SAML response - Azure group filter

Description

 

This article describes a step-by-step approach to troubleshoot SAML SSO authentication issue when using Microsoft Entra ID, and discusses one of the reasons for the most commonly observed error 'No group info in SAML response'.

 

Scope

 

FortiGate, Microsoft Entra ID.

 

Solution

 

Step 1: Check and verify the configuration.

 

The configuration for SAML SSO can be a bit complex for both FortiGate and Microsoft Entra ID. Therefore, it is essential to verify that the configuration is accurate on both ends. Refer to the below article for configuration details: Outbound firewall authentication with Microsoft Entra ID as a SAML IdP

 

Step 2: Run the debug commands.

 

Run the given SAML related debug commands on FortiGate while trying to authenticate from the client machine:

 

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application saml -1

diagnose debug console timestamp enable

diagnose vpn ssl debug-filter src-addr4 filter <client public-ip>

diagnose debug enable

 

To check the metadata of SSO, run the following in the CLI:


diagnose vpn ssl saml-metadata "<SAML NAME>"

 

Step 3: Analyzing SAML debug logs.

The SAML assertion sent to the FortiGate consists of the attributes. Check the attributes received and ensure that they match the SSO configuration on the Microsoft Entra ID under the 'Attributes and Claims' section.

 

See the following non-working scenario:

 

samld_send_common_reply [118]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' '8ad37b35-abb2-5da2-88cd-7b2c88acfd89'
samld_send_common_reply [118]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '57befc77-c591-492b-9af0-5125abc3d38a'
samld_send_common_reply [118]: Attr: 10, 84, 'http://schemas.microsoft.com/identity/claims/displayname' 'Test User'
samld_send_common_reply [118]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/8ad37b35-abb2-5da2-88cd-7b2c88acfd89/'
samld_send_common_reply [118]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
samld_send_common_reply [118]: Attr: 10, 72, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Test'
samld_send_common_reply [118]: Attr: 10, 78, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'User'
samld_send_common_reply [118]: Attr: 10, 100, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'testuser@fortinet.com'
samld_send_common_reply [118]: Attr: 10, 98, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'testuser123@fortinet.com'
samld_send_common_reply [118]: Attr: 10, 48, 'username' 'testuser123@fortinet.com'
fsv_saml_login_response:480 Got saml username: testuser123@fortinet.com.
fsv_saml_login_response:510 No group info in SAML response.
fsv_saml_login_resp_cb:172 SAML group mismatch.
Timeout for connection 0x7f5ffcd66700.

 

In this scenario, FortiGate is receiving all the highlighted attributes except for group which the Test User is part of. This is the reason for the error 'No group info in SAML response' resulting in failed verification.

Refer to the following articles to see if they resolve the issue:

 

Step 4: Verify group filter on Microsoft Entra ID.

Group Filtering is used in SSO by Microsoft Entra ID to control which groups are included in the group claim. Only the groups that match the specified filter are included in the group claim which are returned to the FortiGate in SAML assertion.

To check group filter on Microsoft Entra ID, go to Single sign-on -> SAML -> User Attributes & Claims -> Edit -> Select group claim -> Advanced options -> Filter groups.

 

Azure group filter.jpg

 

As per the above filter, only the groups which have 'User' at the end of their name will be included in the group. If no group on Microsoft Entra ID matches the filter criteria, the group claim present in SAML assertion sent to the FortiGate will be empty, resulting in the error 'No group info in SAML response'.

 

To resolve this, follow one of these steps:

  • Disable the group filter on Microsoft Entra ID to include all the groups in the group claim sent to the FortiGate.
  • If a group matching the criteria is included in the group claim, ensure that its object ID is present in the user group configuration on FortiGate.

 

See the following working scenario:

 

samld_send_common_reply [118]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' '8ad37b35-abb2-5da2-88cd-7b2c88acfd89'
samld_send_common_reply [118]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '82acee65-6ad1-691b-bb02-2597adf3a29b'
samld_send_common_reply [118]: Attr: 10, 74, 'http://schemas.microsoft.com/identity/claims/displayname' 'Test User'
samld_send_common_reply [118]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/8ad37b35-abb2-5da2-88cd-7b2c88acfd89/'
samld_send_common_reply [118]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
samld_send_common_reply [118]: Attr: 10, 138, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509'
samld_send_common_reply [118]: Attr: 10, 72, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Test'
samld_send_common_reply [118]: Attr: 10, 75, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'User'
samld_send_common_reply [118]: Attr: 10, 92, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'testuser@fortinet.com'
samld_send_common_reply [118]: Attr: 10, 87, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'testuser123@fortinet.com'
samld_send_common_reply [118]: Attr: 10, 37, 'username' 'testuser123@fortinet.com'
samld_send_common_reply [118]: Attr: 10, 48, 'groups' 'f21a8a53-f9f2-34ab-224b-5d61f87a4d6f'
fsv_saml_login_response:480 Got saml username: testuser123@fortinet.com.
fsv_saml_login_response:490 Got group username: f21a8a53-f9f2-34ab-224b-5d61f87a4d6f.
sslvpn_auth_check_usrgroup:2975 forming user/group list from policy.

 

In this scenario, all of the desired attributes are received in the SAML assertion which FortiGate uses for verification.

 

Related articles:

1692
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.