Troubleshooting Tip: SSL VPN user only showing as part of one group while it is also part of other groups

jlim11 · ‎10-23-2024

Description

This article will explain why the FortiGate will only show a user is only part of a particular SAML group after authenticating and connecting to SSLVPN, even if the user is actually part of multiple SAML groups.

For this example, the user is part of SAML-GRP and SAML-GRP2 on the FortiGate configuration:

grouping gui.PNG

3. saml group.PNG

SSL VPN configuration:

SSLVPN group rule mapping.PNG

But after connecting to SSL VPN, it only shows that it is only part of one group:

1 fgt group.PNG

cli 1 group.PNG

Scope

FortiGate.

Solution

Ran the debug to confirm that the user is also part of the other user group:

diag debug application samld -1

diag debug application sslvpnd -1

diag debug application fnbamd -1

diag debug enable

[2141:root:21]saml login [2141:33] SAML_INFO: Storing 7 remote SAML groups received from 'SAML-SSO'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[0]: 0142692d-93cd-49f7-b1c3-eab14ca7d39a.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group '0142692d-93cd-49f7-b1c3-eab14ca7d39a'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[1]: 223e5f50-974d-4abe-908b-02268ce66d74.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group '223e5f50-974d-4abe-908b-02268ce66d74'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[2]: 95bef301-4f4e-4001-9241-7e089fa1345b.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group '95bef301-4f4e-4001-9241-7e089fa1345b'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[3]: a965c304-c0cb-45d6-9383-dd264fe03b97.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group 'a965c304-c0cb-45d6-9383-dd264fe03b97'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[4]: df799b20-5604-4b8c-ba88-257aa7266c80.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group 'df799b20-5604-4b8c-ba88-257aa7266c80'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[5]: 8724203f-b372-4648-b9ae-8254d36cf736.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group '8724203f-b372-4648-b9ae-8254d36cf736'
[2141:root:21]fsv_saml_auth_group:409 store remote saml group[6]: bdc357d3-d318-4132-8a86-8f88bab5b4fa.
[2141:root:21]saml login [2141:33] SAML_INFO: Storing remote SAML group 'bdc357d3-d318-4132-8a86-8f88bab5b4fa'

From the user group configuration:

edit "SAML-GRP"
set member "SAML-SSO"
config match
edit 1
set server-name "SAML-SSO"
set group-name "a965c304-c0cb-45d6-9383-dd264fe03b97"
next
end
next
edit "SAML-GRP2"
set member "SAML-SSO"
config match
  edit 1
  set server-name "SAML-SSO"
  set group-name "df799b20-5604-4b8c-ba88-257aa7266c80"
  next
end
next
end

It is confirmed that user should be part of the 'SAML-GRP2' as the SAML Groups received from the SAML-Server 'SAML-SSO' has group object id 'df799b20-5604-4b8c-ba88-257aa7266c80'included. (store remote saml group[4]).

Aside from confirming the group ID for the user from the debug, Confirm that there is a firewall policy enabled referencing the other group 'SAML-GRP2' which the user is part of.

4 firewall policy groups.PNG

It is possible also to reference the other group on the same Firewall Policy as the first group, instead of creating another firewall policy.

After including the other group on a Firewall Policy, the User now shows as part of the multiple group.

1-2 fgt 2grp.PNG

2 fgt cli 2group.PNG

FortiGate also checks Firewall Policies to add the user to the respective group.