FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193640
SAML can be used for user authentication and grouping in FortiGate.

This article describes how to troubleshooting a scenarios when user could log initially and got logged out immediately afterwards.

In such scenario, once user logged in SSL VPN, user is immediately presented with 'Session Ended' in the browser.

To troubleshoot the SAML login process, following debug can be collected while the user is logging in:

# diagnose debug application samld -1
# diagnose debug application sslvpn -1
# diagnose debug enable

In this scenario, the log showed 'SAML group mismatch':

[09:22:41][176:root:2ab5]fsv_saml_login_response:477 No group info in SAML response.
[09:22:41][176:root:2ab5]fsv_saml_login_resp_cb:173 SAML group mismatch.

This indicates the group name 'group' configured was different from what was returned from the SAML IdP.

Configured group in FortiGate:

Attribute Name: "group"
Attribute Value: "SSL-SAML"

# config user saml
edit "ras.test"
set group-name "group"                 <----- Attribute Name for group-name.

# config user group
    edit "azure_test"
        set member "ras.test"
        # config match
            edit 1
                set server-name "ras.test"
                set group-name "SSL-SAML"     <------ Attribute Value for group-name.

But in the debug log, it showed the Attribute Name returned was '' (instead of 'group').

[09:22:41]samld_send_common_reply [120]:     Attr: 10, 104, '' 'SSL-SAML'

The solution is to correct the attribute name in IdP 
From: ''.
to: 'group'.
(or vice versa, configure the 'group-name' in FortiGate to match the returned attribute-name  ''.

# config user saml
    edit "ras.test"
    set group-name ""

Related Articles

Technical Tip: Configure group based policies for SAML users

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Azure AD acting as SAML ...