Created on 
    
	
		
		
		06-25-2025
	
		
		10:07 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
  Edited on 
    
	
		
		
		10-08-2025
	
		
		12:58 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 By  
				
		
		
			jlim11
		
		
		
		
		
		
		
		
	
			 
		
| Description | This article describes a behavior where users correctly configured the Group ID for the SAML integration, however in the authentication does not work in IKEv2. | 
| Scope | FortiGate v7.4.7, FortiClient v7.4.3. | 
| Solution | Users configure a SAML integration with a specific group ID. 
 config system global 
 config user saml     edit "saml" 
 config user group     edit "azure_group" 
 config vpn ipsec phase1-interface     edit "vpn_car" 
 config firewall policy     edit 8 
 config system interface     edit "port1" 
 In the debugs, the authentication process starts correctly, but it never finishes. 
 [authd_local_saml_auth:5778]: SAML login with UID 'DA715D9413064DD09C155EB6D427BC00'. [545] __fnbamd_cfg_get_tac_plus_list_by_group- [456] fnbamd_rad_get-vfid=0, name='EAP_PROXY' ep_fnbam_auth_wpa_user 401 -- svc_type='vpn-ikev2', user='DA715D9413064DD09C155EB6D427BC00', vdom='root', intf='FGVMXXXX' 
 There is no output in the fnbamd debugs as explained in the following link, and authentication never works. SAML-based authentication for FortiClient remote access dialup IPsec VPN clients 
 Solution: Disable the feature 'use external browser as user-agent for SAML user authentication' in the FortiClient settings. Open FortiClient, navigate to Remote Access -> Edit IPSec VPN -> Single Sign On Settings -> Disable. Use an external browser as user-agent for SAML user authentication. 
 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.