Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yashagoro
New Contributor

sslvpn_login_saml_group_mismatch

Hello,

we just solved a problem we had for weeks with our Fortigate / Azure SSO implementation and i thought maybe i can help someone save some time. 

We are running multiple fortigates for different companys. Since all those companys do use Office 365 we decided to let Microsoft handle the MFA for the SSLVPN login. We set it up and everything was running good besides one single user in one of our companys that wasnt able to login. He always received a error code -7200. We tried everything we could think of. Ressetting passwords, MFAs and even delete the hole SSL and SSO configuration on this fortigate. Alwasys the same error. No mater on which client this user tries to login the error stays the same.

Debugging and the logs in our analyzer showed the error message sslvpn_login_saml_group_mismatch so we double checked for errors in the configuration but we could not find some. 

Tonight my last thought was that maybe 117 Groups are to mutch for a saml response. Microsft states that they support up to 150.

I changed the setting in the microsoft entra id -> Application -> Enterprise application -> Fortigate SSL VPN -> Single Sign On (SSO).

You need to edit the attribute and claims. In the additional clains table, there is a group claim. The default how to setup says you need to choose all groups. I changed it to "the application asigned groups".

After that our user was able to login. So maybe if someone is in a similar situation were some of his users have way to many groups asigned this may help...

Since english is not my native language i had to translate a lot from german to english. Not sure e.g. if "the application asigned groups" is correct name for it. But i think you got the idear of what i meant.

1 Solution
johnathan
Staff
Staff

You might be hitting the scenario seen in this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-limitation-of-150-assert...

"Never trust a computer you can't throw out a window."

View solution in original post

1 REPLY 1
johnathan
Staff
Staff

You might be hitting the scenario seen in this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-limitation-of-150-assert...

"Never trust a computer you can't throw out a window."
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors