Created on
06-25-2025
10:07 PM
Edited on
06-26-2025
12:28 AM
By
Jean-Philippe_P
Description |
This article describes a behavior where users correctly configured the Group ID for the SAML integration, however in the authentication does not work in IKEv2. |
Scope | FortiGate v7.4.7, FortiClient v7.4.3. |
Solution |
Users configure a SAML integration with a specific group ID.
config system global edit "saml" edit "azure_group" edit "vpn_car" edit 8 edit "port1"
In the debugs, the authentication process starts correctly, but it never finishes.
[authd_local_saml_auth:5778]: SAML login with UID 'DA715D9413064DD09C155EB6D427BC00'. [545] __fnbamd_cfg_get_tac_plus_list_by_group- [456] fnbamd_rad_get-vfid=0, name='EAP_PROXY' ep_fnbam_auth_wpa_user 401 -- svc_type='vpn-ikev2', user='DA715D9413064DD09C155EB6D427BC00', vdom='root', intf='FGVMXXXX'
There is no output in the fnbamd debugs as explained in the following link, and authentication never works. SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
Solution: Disable the feature 'use external browser as user-agent for SAML user authentication' in the FortiClient settings. Open FortiClient, navigate to Remote Access -> Edit IPSec VPN -> Single Sign On Settings -> Disable. Use an external browser as user-agent for SAML user authentication.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.