FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff
Article Id 330226
Description

This article describes how to fix two errors that may occur in SSL VPN configurations with SAML authentication for MFA on Azure Entra.
If there is a mismatch or missing username or group claims on Azure, the FortiGate will reject the connection due to either of the following errors:

  • 'No username info in SAML response'
  • 'No group info in SAML response'
   
Scope FortiGate - SSL VPN - SSO - Azure Entra.    
Solution
  • Login to Azure and access the Entra app for FortiGate.
  • Select the 'SSO' option.
  • Under the 'Attributes & Claims' section, make sure that the attribute 'username' is listed with claim 'user.userprincipalname'.
  • If this is missing, add a new claim by following these steps:
    • Select the edit button on this section.
    • Select 'Add new claim'.
    • Next to 'Name', enter 'username'.
    • Next to 'Source attribute', select 'user.userprincipalname' and then select 'Save'.
  • The same can be done for the 'groups' claim if it is missing from the same 'Attributes & Claims' section where the 'Attribute' 'Name' is 'groups' while the 'Claim' field should hold the value 'user.groups'.
  • One important note is to make sure these attribute names are an exact match under the FortiGate 'user saml' configuration including, letter case sensitivity.
  • To view SAML config in the FortiOS CLI:


config user saml

edit “Azure”

set user-name “username”

set group-name “groups”

………….

next

end

  • Troubleshooting the SSL VPN and SAML involves running the debug commands below:

diagnose debug reset

diagnose debug application sslvpn -1

diagnose debug application fnbamd -1

diagnose debug console timestamp enable

diagnose debug enable