SAML SSL VPN authentication fails for some users while it works for others, provided they are part of the same group and if running the SAML debugs the results are as follows:

diag debug reset

diag debug app samld -1

diag debug app sslvpnd -1

diag debug enable

Reproduce the issue.

diag debug disable

diag debug reset

Failed Account:

samld_send_common_reply [123]: Attr: 17, 27, magic=f3ecead5d9cf6cdd

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a random_string'

samld_send_common_reply [120]: Attr: 10, 73, 'http://schemas.microsoft.com/identity/claims/displayname' 'Fortinet Test

samld_send_common_reply [120]: Attr: 10, 175, 'http://schemas.microsoft.com/claims/groups.link' 'https://graph.windows.net/also_a_random_string/users/can_be_a_random_string/getMemberObjects'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'can_be_a_random_string'

samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet’

samld_send_common_reply [120]: Attr: 10, 72, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'Test’

Working Account:

samld_send_common_reply [123]: Attr: 17, 27, magic=c1e141f212416d77

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a_random_string'

samld_send_common_reply [120]: Attr: 10, 78, 'http://schemas.microsoft.com/identity/claims/displayname' 'FortinetTestOnline'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/'

samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string'

samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet'

samld_send_common_reply [120]: Attr: 10, 77, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'TestOnline'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'Fortinet.testonline@xyzabc.com'

samld_send_common_reply [120]: Attr: 10, 94, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'Fortinet.TestOnline@xyzabc.com'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID1'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID2'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID3'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID4'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID5'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID6'

samld_send_common_reply [120]: Attr: 10, 44, 'username' 'Fortinet.TestOnline@xyzabc.com'

Solution:

This error occurs when the user is part of more than 150 user groups which is a limit by Microsoft Azure.

To resolve this issue, on the Azure portal, in the group claims settings, 'Groups Assigned to the Application' should be selected instead of 'All groups'.  Once, this setting is selected, only the groups which are assigned to the application will be sent in the SAML response instead of all the groups.

Related document:

SAML token claims reference