Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MichaelTorres
Staff
Staff

Created on ‎12-29-2024 11:10 PM

Article Id 367171

Troubleshooting Tip: SAML mismatch Group error although Group ID is correctly configured in FortiGate

Description

This article describes a behavior where users correctly configured the Group ID for the SAML integration, however in the debugs the error 'Failed group matching' is shown.
Scope FortiGate with Azure SAML integration in v7.2.10, v7.4.4 or lower versions.
Solution

Users configure a SAML integration with a specific group ID.

 

config user saml
    edit "VPN_SAML"
        set cert "OWN_Cert"
        set entity-id "http://vpn.test.co:8443/remote/saml/metadata/"
        set single-sign-on-url "https://vpn.test.co:8443/remote/saml/login"
        set single-logout-url "https://vpn.test.co:8443/remote/saml/logout"
        set idp-entity-id "https://sts.windows.net/343543534/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/343543534-46ea-bd8e-04ae5bf545a8/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/343543534-04ae5bf545a8/saml2"
        set idp-cert "REMOTE_Cert_1"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next
    edit "MFA_VPN"
        set member "VPN_SAML"
            config match
                edit 1
                    set server-name "VPN_SAML"
                    set group-name "343543534-3fdc-4566-8cf2-gtyh54663"
                next
            end
    next

 

In the SAML debugs the following error is shown:

 

samld_send_common_reply [95]: Attr: 10, 49, 'username' 'test@vpn.test.co'
samld_send_common_reply [95]: Attr: 10, 51, 'group' '343543534-3fdc-4566-8cf2-gtyh54663' --> FortiGate correctly recollect the Group Object

2024-12-06 09:10:40 [1041] fnbamd_saml_auth_cache_lookup-Authentication passed.
2024-12-06 09:10:40 [234] __clear_one_entry-'635DDD39A3D747CE811D354D1F9E0DCF' is cleared.
2024-12-06 09:10:40 [1950] handle_req-r=0
2024-12-06 09:10:40 [1623] fnbam_user_auth_group_match-req id: 2065206618, server: VPN_SAML, local auth: 0, dn match: 0
2024-12-06 09:10:40 [1592] __group_match-Group 'MFA_VPN' passed group matching --> Validates user belongs to the group.
2024-12-06 09:10:40 [1595] __group_match-Add matched group 'MFA_VPN'(18)
2024-12-06 09:10:40 [1750] __radius_decode_mppe_key-Key len after decode 16
2024-12-06 09:10:40 fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-03 A1 00 04
2024-12-06 09:10:40 [1548] fnbamd_auth_handle_radius_result-->Result for radius svr 'eap_proxy' 127.0.0.1(1) is 0
2024-12-06 09:10:40 [1573] fnbamd_auth_handle_radius_result-RADIUS auth succeeds with server 'VPN_SAML'
2024-12-06 09:10:40 [1623] fnbam_user_auth_group_match-req id: 2065206617, server: VPN_SAML, local auth: 0, dn match: 0
2024-12-06 09:10:40 [295] find_matched_usr_grps-Failed group matching --> Finally although the FortiGate already matches the user with the Group ID MF_VPN, it now shows a Failed group error.
2024-12-06 09:10:40 [209] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 2065206617, len=2540

 

Workaround.

 

Remove Group ID and allow every group from IDP.

 

Final fix.

 

Upgrade FortiGate to v7.2.11, v7.4.5, v7.6.1.
972
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.