Description

This article describes how to troubleshoot for SSO 'Remote Role does not match with FPC role' error message.

Sample error message:

Scope

FortiPortal v7.2 and above

Troubleshooting:

• Use SAML debugging browser extension (Eg: SAML Tracer) to verify the SAML Attributes:

• Verify if the Identity Provider (IdP) server is passing the correct Role attribute to FortiPortal.
• Verify if FortiPortal has the correct SSO Role/Profile configured: FortiPortal (Administrator) GUI -> System -> Settings -> Authentication -> Edit Remote Server -> View SSO Profiles.

• Analyze FortiPortal System Logs for verbose debug output: FortiPortal (Administrator) GUI -> System -> Settings -> General -> System Logs -> Export.

• In this example, the IdP server is passing SSO role 'sso_cust_read' but FortiPortal showing 'no matched role' in debug logs
• This is due to the FortiPortal SSO Role/Profile list not having 'sso_cust_read'.

Solution

1. Proceed to create a new FortiPortal SSO Role/Profile 'sso_cust_read' -> Save.

2. Once done, proceed to log in with the SSO user and verify the result:

Related articles:

Technical Tip: How to configure FortiPortal SSO Remote Authentication using FortiAuthenticator SAML ...

Technical Tip: How to configure FortiPortal SSO Remote Authentication using Active Directory Federat...

Technical Tip: How to validate that Remote authentication 'SSO' SAML responses and assertions are si...