• Login to Azure and access the Entra app for FortiGate.
  
  
• Select the 'SSO' option.
  
  
• Under the 'Attributes & Claims' section, make sure that the attribute 'username' is listed with the claim 'user.userprincipalname'.
  
  
• If this is missing, add a new claim by following these steps:
  • Select the edit button in this section.
  • Select 'Add new claim'.
  • Next to 'Name', enter 'username'.
  • Next to 'Source attribute', select 'user.userprincipalname' and then select 'Save'.
    
    
• The same can be done for the 'groups' claim if it is missing from the same 'Attributes & Claims' section where the 'Attribute' 'Name' is 'groups' while the 'Claim' field should hold the value 'user.groups'.
  
  
• One important note is to make sure these attribute names are an exact match under the FortiGate 'user saml' configuration including, letter case sensitivity.
  
  
• To view SAML config in the FortiOS CLI:

config user saml
    edit “Azure”

        set user-name “username”

        set group-name “groups”

        …………

    next

end

• Troubleshooting the SSL VPN and SAML involves running the debug commands below:
  
  

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1

diagnose debug application saml -1

diagnose debug console timestamp enable

diagnose debug enable

It is also possible to see what Azure has configured in the group value by running a SAML debug and completing a login.

Run the above commands, and output such as below would be visible:

For a more complete guide on troubleshooting SAML issues with SSL VPN, visit the following URL: Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication.
Reference for steps on Microsoft Entra SSO integration with FortiGate SSL VPN: Tutorial: Microsoft Entra SSO integration with FortiGate SSL VPN.