DescriptionSAML can be used for user authentication and grouping in FortiGate.
This article describes how to troubleshooting a scenarios when user could log initially and got logged out immediately afterwards.
In such scenario, once user logged in SSL VPN, user is immediately presented with 'Session Ended' in the browser.
SolutionTo troubleshoot the SAML login process, following debug can be collected while the user is logging in:
# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable
In this scenario, the log showed 'SAML group mismatch':
[09:22:41][176:root:2ab5]fsv_saml_login_response:477 No group info in SAML response.
[09:22:41][176:root:2ab5]fsv_saml_login_resp_cb:173 SAML group mismatch.
This indicates the group name 'group' configured was different from what was returned from the SAML IdP.
Configured group in FortiGate:
Attribute Name: "group"
Attribute Value: "SSL-SAML"
# config user saml
edit "ras.test"
..
set group-name "group" <----- Attribute Name for group-name.
# config user group
edit "azure_test"
set member "ras.test"
# config match
edit 1
set server-name "ras.test"
set group-name "SSL-SAML" <------ Attribute Value for group-name.
next
end
But in the debug log, it showed the Attribute Name returned was 'http://schemas.microsoft.com/groups' (instead of 'group').
[09:22:41]samld_send_common_reply [120]: Attr: 10, 104, 'http://schemas.microsoft.com/groups' 'SSL-SAML'
The solution is to correct the attribute name in IdP
From: 'http://schemas.microsoft.com/groups'.
to: 'group'.
(or vice versa, configure the 'group-name' in FortiGate to match the returned attribute-name 'http://schemas.microsoft.com/groups'.
# config user saml
edit "ras.test"
..
set group-name "http://schemas.microsoft.com/groups"
Related Articles
Technical Tip: Configure group based policies for SAML users
Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...
