| Description | This article describes the SAML SSL VPN authentication failure for some users while it works for others, provided they are part of the same group. |
| Scope | FortiGate all versions. |
| Solution |
SAML SSL VPN authentication fails for some users while it works for others, provided they are part of the same group, and if running the SAML debugs, the results are as follows:
diagnose debug reset diagnose debug app samld -1 diagnose debug app sslvpnd -1 diagnose debug enable
Reproduce the issue.
diagnose debug disable diagnose debug reset
Failed Account:
samld_send_common_reply [123]: Attr: 17, 27, magic=f3ecead5d9cf6cdd samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string' samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a random_string' samld_send_common_reply [120]: Attr: 10, 73, 'http://schemas.microsoft.com/identity/claims/displayname' 'Fortinet Test samld_send_common_reply [120]: Attr: 10, 175, 'http://schemas.microsoft.com/claims/groups.link' 'https://graph.windows.net/also_a_random_string/users/can_be_a_random_string/getMemberObjects' samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/' samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string' samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'can_be_a_random_string' samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet’ samld_send_common_reply [120]: Attr: 10, 72, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'Test’
Working Account:
samld_send_common_reply [123]: Attr: 17, 27, magic=c1e141f212416d77 samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string' samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a_random_string' samld_send_common_reply [120]: Attr: 10, 78, 'http://schemas.microsoft.com/identity/claims/displayname' 'FortinetTestOnline' samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/' samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password' samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string' samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet' samld_send_common_reply [120]: Attr: 10, 77, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'TestOnline' samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'Fortinet.testonline@xyzabc.com' samld_send_common_reply [120]: Attr: 10, 94, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'Fortinet.TestOnline@xyzabc.com' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID1' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID2' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID3' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID4' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID5' samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID6' samld_send_common_reply [120]: Attr: 10, 44, 'username' 'Fortinet.TestOnline@xyzabc.com'
Solution: This error occurs when the user is part of more than 150 user groups, which is a limit set by Microsoft Azure.
To resolve this issue, on the Azure portal, in the group claims settings, 'Groups Assigned to the Application' should be selected instead of 'All groups'. Once this setting is selected, only the groups that are assigned to the application will be sent in the SAML response instead of all the groups.
Related documentS: SAML SSO configuration from Web GUI SAML daemon crashing when ECC or DSA certificates are used Illustrated explanation of SAML authentication SAML SSO for Admins - Azure as IdP SAML SSO configuration from Web GUI SAML SSO for Admins - JumpCloud as IdP SAML SSO for Admins - Okta as IdP Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP) Configuring FortiGate SSO Administrators with ADFS as SAML IdP Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1 Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP |
