Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
arleniscg
Staff
Staff

Created on ‎06-05-2024 10:25 PM Edited on ‎01-03-2025 06:41 AM By Staff

Article Id 319232

Troubleshooting Tip: Policy with src groups from IDP FortiAuthenticator on-premise, FortiSASE error: 'Found a group with no match setting'

Description This article describes how to resolve a scenario where the group-id attributes are not fetched from IDP FortiAuthenticator on-premises, resulting in no hits on Policies with the source group on FortiSASE.
Scope FortiSASE, FortiAuthenticator.
Solution

In the FortiSASE policy overview, only the Policy that allows VPN users traffic shows hits. The policy with defined source groups from FortiAuthenticator does not show hits: 

 

SASE1.png

 

In the 'VPN User SSO' section, the SSO configuration test may show the following message, if all is configured correctly: 

'Found a group with no match setting'.

 

SASE2.png

In this screenshot, the group attribute is written in uppercase. Keep in mind that FortiSASE handles the group attributes case-sensitive. Best practice is to keep all names and values in lowercase, to avoid confusion.

  1. Change the case of the group to lower case as in this example:

 

SASE3.png

 

  1. Create Group and Group IDs on FortiSASE and FortiAuthenticator:

 

SASE4.png

 

  1. Validate hits on FortiSASE Policy:

 

SASE5.png

 
245
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.