Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff

Created on ‎02-04-2025 02:35 AM Edited on ‎07-17-2025 04:07 AM By Staff

Article Id 360559

Troubleshooting Tip: User Group Matching Issues in FortiSASE SIA Policies with Azure SSO Integration

Description

 

This article describes how to process for resolving user group matching issues in FortiSASE when integrating with Azure SSO.

 

Scope

 

FortiSASE.

 

Solution

 

Azure Entra ID is set up on FortiSASE for VPN SSO. The user can connect the VPN but does not match the user group defined on the FortiSASE. On FortiSASE let's say Test, Test2 user group is defined based on Azure object ID and once the user connects the VPN then it should match the respective group and match the correct SIA policy as per the user group.

 

12.PNG

 

The 

SIA policy on the FortiSASE is set as below so if the user does not match any of the groups then it matches the default implicit policy and the traffic will be blocked

 

12.PNG

 

 

The user-based policy is not getting triggered, and bytes for implicit denial are being hit, causing the traffic to be denied.

 

 

On the SSL/SAML debug:

 

samld_send_common_reply [95]: Attr: 10, 99, 'http://schemas.microsoft.com/identity/claims/tenantid' '25bd9be1-1337-46d2-ae0c-b5cd065ff0b8'
samld_send_common_reply [95]: Attr: 10, 107, 'http://schemas.microsoft.com/identity/claims/objectidentifier' '10d42dad-3a7f-4a74-ba47-1abd2e61519d'
samld_send_common_reply [95]: Attr: 10, 83, 'http://schemas.microsoft.com/identity/claims/displayname' 'User One'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '3805a821-cc15-4350-9677-33ecd7643041'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' '6780fc2f-042e-487e-aae8-cc50f206cf12'
samld_send_common_reply [95]: Attr: 10, 108, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' 'b5af0637-d047-4f16-ba82-83c547745511'
samld_send_common_reply [95]: Attr: 10, 132, 'http://schemas.microsoft.com/identity/claims/identityprovider' 'https://sts.windows.net/25bd9be1-1337-46d2-ae0c-b5cd065ff0b8/'
samld_send_common_reply [95]: Attr: 10, 146, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password'
samld_send_common_reply [95]: Attr: 10, 117, 'http://schemas.microsoft.com/claims/authnmethodsreferences' 'http://schemas.microsoft.com/claims/multipleauthn'
samld_send_common_reply [95]: Attr: 10, 80, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' 'User'
samld_send_common_reply [95]: Attr: 10, 77, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' 'One'
samld_send_common_reply [95]: Attr: 10, 87, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' 'user@abc.com'
samld_send_common_reply [95]: Attr: 10, 79, 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' 'user1@abc.com'
samld_send_common_reply [95]: Attr: 10, 29, 'username' 'user1@abc.com'

 

samld_send_common_reply [119]: Sent resp: 18594, pid=2992, job_id=1706.
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_PROCESS_LOGIN_RESPONSE: Processing login response
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/tenantid
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/objectidentifier
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/identity/claims/displayname
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
2024-11-27 12:37:11 [2992:root:6aa]stmt: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

2024-11-27 12:37:11 [2992:root:6aa]stmt: username
2024-11-27 12:37:11 [2992:root:6aa]fsv_saml_login_response:678 Got saml username: user1@abc.com.
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_RESPONSE_USER: 'user1@abc.com'
2024-11-27 12:37:11 [2992:root:6aa]fsv_saml_login_response:721 No group info in SAML response. >> it is not matching any of the group from the Azure side
2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_RESPONSE_GROUP: Not available

 

2024-11-27 12:37:11 [2992:root:6aa]saml login [2992:1706] SAML_WARN: Found a group with no match setting: 'VPN_SSO_AUTH_GROUP' >> it is matching the local group and that is why the SIA user based policy is not matching

 

The group name attribute on the Azure side is 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'.

 

Verify the attribute configured on the FortiSASE side. Go to Configuration -> VPN User SSO

 

2131.PNG

 

 

It is evident that the attribute value for the group name on FortiSASE and Azure does not match, causing the correct user group to fail to align.

Changing the Group Name attribute to 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups' on the FortiSASE side will resolve the issue.

962
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.