Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kanand
Staff
Staff

Created on ‎06-28-2022 09:10 AM Edited on ‎06-28-2022 10:40 AM By Anonymous

Article Id 216142

Troubleshooting Tip: SSL VPN SAML Authentication not working for some users of the same group

Description This article describes the SAML SSL VPN authentication failure for some users while it works for others, provided they are part of the same group.
Scope Fortigate all versions.
Solution

SAML SSL VPN authentication fails for some users while it works for others, provided they are part of the same group and if running the SAML debugs the results are as follows:

 

# diag debug app samld -1

# diag debug enable

 

Failed Account

 

samld_send_common_reply [123]: Attr: 17, 27, magic=f3ecead5d9cf6cdd

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a random_string'

samld_send_common_reply [120]: Attr: 10, 73, 'http://schemas.microsoft.com/identity/claims/displayname' 'Fortinet Test

samld_send_common_reply [120]: Attr: 10, 175, 'http://schemas.microsoft.com/claims/groups.link' 'https://graph.windows.net/also_a_random_string/users/can_be_a_random_string/getMemberObjects'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'can_be_a_random_string'

samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet’

samld_send_common_reply [120]: Attr: 10, 72, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'Test’

 

Working Account

 

samld_send_common_reply [123]: Attr: 17, 27, magic=c1e141f212416d77

samld_send_common_reply [120]: Attr: 10, 95, 'http://schemas.microsoft.com/identity/claims/tenantid' 'tenantID_is_random_string'

samld_send_common_reply [120]: Attr: 10, 103, 'http://schemas.microsoft.com/identity/claims/objectidentifier' 'can_be_a_random_string'

samld_send_common_reply [120]: Attr: 10, 78, 'http://schemas.microsoft.com/identity/claims/displayname' 'FortinetTestOnline'

samld_send_common_reply [120]: Attr: 10, 128, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/random_string_1/'

samld_send_common_reply [120]: Attr: 10, 142, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/wids' 'random_string'

samld_send_common_reply [120]: Attr: 10, 74, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'Fortinet'

samld_send_common_reply [120]: Attr: 10, 77, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'TestOnline'

samld_send_common_reply [120]: Attr: 10, 102, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'Fortinet.testonline@xyzabc.com'

samld_send_common_reply [120]: Attr: 10, 94, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'Fortinet.TestOnline@xyzabc.com'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID1'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID2'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID3'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID4'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID5'

samld_send_common_reply [120]: Attr: 10, 47, 'group' 'unique_random_groupID6'

samld_send_common_reply [120]: Attr: 10, 44, 'username' 'Fortinet.TestOnline@xyzabc.com'

 

Solution

 

This error occurs when the user is part of more than 150 user groups which is a limit by Microsoft Azure.

 

In order to resolve this issue, on the Azure portal, in the group claims settings, 'Groups Assigned to the Application' should be selected instead of 'All groups'.  Once, this setting is selected, only the groups which are assigned to the application will be sent in the SAML response instead of all the groups.

 

 

kanand_0-1656431278792.png

 

Reference :

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens
9615
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.