Hello,
we just solved a problem we had for weeks with our Fortigate / Azure SSO implementation and i thought maybe i can help someone save some time.
We are running multiple fortigates for different companys. Since all those companys do use Office 365 we decided to let Microsoft handle the MFA for the SSLVPN login. We set it up and everything was running good besides one single user in one of our companys that wasnt able to login. He always received a error code -7200. We tried everything we could think of. Ressetting passwords, MFAs and even delete the hole SSL and SSO configuration on this fortigate. Alwasys the same error. No mater on which client this user tries to login the error stays the same.
Debugging and the logs in our analyzer showed the error message sslvpn_login_saml_group_mismatch so we double checked for errors in the configuration but we could not find some.
Tonight my last thought was that maybe 117 Groups are to mutch for a saml response. Microsft states that they support up to 150.
I changed the setting in the microsoft entra id -> Application -> Enterprise application -> Fortigate SSL VPN -> Single Sign On (SSO).
You need to edit the attribute and claims. In the additional clains table, there is a group claim. The default how to setup says you need to choose all groups. I changed it to "the application asigned groups".
After that our user was able to login. So maybe if someone is in a similar situation were some of his users have way to many groups asigned this may help...
Since english is not my native language i had to translate a lot from german to english. Not sure e.g. if "the application asigned groups" is correct name for it. But i think you got the idear of what i meant.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You might be hitting the scenario seen in this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-limitation-of-150-assert...
You might be hitting the scenario seen in this document: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-limitation-of-150-assert...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.