Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎11-26-2023 10:15 PM

Article Id 286185

Technical Tip: Unable to match ZTNA proxy policy or ZTNA firewall policy when SAML authentication is enabled

Description

 

This article describes a possible cause of ZTNA proxy or firewall policies failing to match when SAML authentication method is used.
This issue is likely to be triggered when FortiAuthenticator is configured as SAML IdP.

 

Consider a scenario where SAML authentication for ZTNA Access proxy rules is configured as per the example from the document linked below:
ZTNA application gateway with SAML and MFA using FortiAuthenticator example 

Policies may not match when specific group attributes are configured on the user group object applied to the ZTNA policies.
It is observed that authentication completes successfully, but it fails to match the ZTNA policies because it does not match the group assigned to the policy.

From debug logs output of the SAML daemon in FortiGate or even from the output of a SAML tracer tool, it is possible to confirm that the group attribute is correctly sent by the IdP. However, the proxy service (WAD) on FortiGate fails to read the SAML group assertion passed by the SAML daemon, which may cause a policy mismatch.

The trigger for this issue is when the group attribute expected is received as the first SAML assertion sent by the IdP, which is being bypassed by the proxy service (WAD).

 

This can be identified by collecting the proxy service debugs as per the example below:


diagnose wad debug enable all
diagnose debug enable


User group configured below, expecting group attribute value 'CN=Remote Desktop Users,CN=Builtin,DC=colombas,DC=lab'.


config user group
    edit "SAML_FAC_ZTNA"
        set member "fac-saml-access-proxy"
        config match
            edit 1
                set server-name "fac-saml-access-proxy"
                set group-name "CN=Remote Desktop Users,CN=Builtin,DC=colombas,DC=lab"
            next
        end
    next
end


From SAML debugs, the group attribute is sent by FortiAuthenticator:


samld_send_common_reply [122]: Attr: 17, 129, sXYusD2zxdFj-J_fC7_jVxDxuAgQqvpLTrHjSQLm8UAX-rlEDKf4SgGq5AkPqvUdW_OvEEy_9FdcqvNDEa7kVF6t-FUXovJKEO3nSBG_qhRQ864BF6fkGlLLlyc=
samld_send_common_reply [122]: Attr: 18, 25, 2023-03-01T20:01:57Z
samld_send_common_reply [118]: Attr: 10, 64, 'group' 'CN=Remote Desktop Users,CN=Builtin,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 58, 'group' 'CN=Administrators,CN=Builtin,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 80, 'group' 'CN=Denied RODC Password Replication Group,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 55, 'group' 'CN=Domain Admins,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 53, 'group' 'CN=Escalations,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 61, 'group' 'CN=Trimble-Escalations,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 56, 'group' 'CN=Trimble-Level2,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 56, 'group' 'CN=Trimble-Level1,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 49, 'group' 'CN=Users,CN=Builtin,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 54, 'group' 'CN=Domain Users,CN=Users,DC=colombas,DC=lab'
samld_send_common_reply [118]: Attr: 10, 20, 'username' 'carlos'


The proxy service in FortiGate parses all the SAML attributes:


[V]2023-03-01 10:56:28.480814 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Remote Desktop Users,CN=Builtin,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480819 [p:6542] hauth_saml_grpinfo_append :1230 Realloc grp inform size to 8192
[I]2023-03-01 10:56:28.480820 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Remote Desktop Users,CN=Builtin,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480821 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Administrators,CN=Builtin,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480822 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Administrators,CN=Builtin,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480823 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Denied RODC Password Replication Group,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480824 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Denied RODC Password Replication Group,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480825 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Domain Admins,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480826 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Domain Admins,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480827 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Escalations,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480828 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Escalations,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480828 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Trimble-Escalations,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480831 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Trimble-Escalations,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480831 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Trimble-Level2,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480832 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Trimble-Level2,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480832 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Trimble-Level1,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480833 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Trimble-Level1,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480834 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Users,CN=Builtin,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480834 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Users,CN=Builtin,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480835 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'group' = 'CN=Domain Users,CN=Users,DC=colombas,DC=lab'
[I]2023-03-01 10:56:28.480835 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'CN=Domain Users,CN=Users,DC=colombas,DC=lab'
[V]2023-03-01 10:56:28.480836 [p:6542] hauth_saml_grpinfo_parse :1248 SAML RESP: attr 'username' = 'carlos'
[I]2023-03-01 10:56:28.480836 [p:6542] hauth_saml_grpinfo_append :1235 Append group info: 'carlos'


However, it skips the first attribute parsed and it does not include it in hauth_saml_make_ms_from_grpinfo':


[V]2023-03-01 10:56:28.480841 [p:6542] hauth_saml_activate_saml_user :1009 Activate user 'carlos' ses/vd: 0x7fd2e5dbe9b8/0x7fd2e5a48010
[V]2023-03-01 10:56:28.480843 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Administrators,CN=Builtin,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480844 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Denied RODC Password Replication Group,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480845 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Domain Admins,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480846 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Escalations,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480847 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Trimble-Escalations,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480848 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Trimble-Level2,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480849 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Trimble-Level1,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480850 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Users,CN=Builtin,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480851 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=CN=Domain Users,CN=Users,DC=colombas,DC=lab
[V]2023-03-01 10:56:28.480852 [p:6542] hauth_saml_make_ms_from_grpinfo :958 server=fac-saml-access-proxy grp=carlos
[I]2023-03-01 10:56:28.480857 [p:6542] wad_http_auth_update_user_ext2 :2813 updating user. ip: 192.168.101.71, type:IP ms:11
[I]2023-03-01 10:56:28.480861 [p:6542] wad_auth_inc_user_count :1684 increased user count, quota:128000, n_shared_user:1, vd_used: 1, vd_max: 0, vd_gurantee: 0
[V]2023-03-01 10:56:28.480865 [p:6542] __wad_hauth_user_node_hold :2173 wad_hauth_user_node_alloc (1586): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.480867 [p:6542] __wad_hauth_user_node_hold :2173 wad_http_auth_use_user_node (2743): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.480868 [p:6542] __wad_hauth_user_node_put :2184 wad_http_auth_use_user_node (2744): putting node(ref=1) 0x7fd2e7278b70
mapping user_node:0x7fd2e7278b70, user_ip:0x7fd2e6fc0688(0), user:0x7fd2e5be89e8(0)
[V]2023-03-01 10:56:28.480869 [p:6542] __wad_hauth_user_node_hold :2173 wad_http_auth_update_user_ext2 (3047): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.480871 [p:6542] hauth_saml_activate_saml_user :1043 Update authenticated SAML user 'carlos' cfg 'fac-saml-access-proxy' Success
[V]2023-03-01 10:56:28.480876 [p:6542] wad_inform_msg_hdr_get :711 msg=ReqAdd code=OK seq=1
[V]2023-03-01 10:56:28.480880 [p:6542] wad_hauth_usernum_report_run :1615 vf_id=0, used=1
[V]2023-03-01 10:56:28.480881 [p:6542] wad_inform_msg_hdr_get :711 msg=ReqReport code=OK seq=0

 

Consequently, it does not match the group 'SAML_FAC_ZTNA':


[I]2023-03-01 10:56:28.481481 [p:6542][s:83401][r:33554436] wad_inform_req_user_add_notify :793 Reponse Add-User from informer: succ auth_req=0x7fd2e6885b38
[W]2023-03-01 10:56:28.481485 [p:6542][s:83401][r:33554436] wad_user_add_notify :188 auth-st=7 add-auth-st=1
[I]2023-03-01 10:56:28.481489 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(ADFS-Escalations-SAML): id=44 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481493 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Admins-Escalations): id=14 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481496 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Admins-L1): id=12 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481499 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Admins-L2): id=13 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481560 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(CP-L1): id=1 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481564 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(DUO-Admins-LDAP-Level2): id=30 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481566 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(DUO-Admins-LDAP-Level3): id=31 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481568 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(DUO-Admins-Radius): id=29 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481571 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(DUO-SSLVPN): id=36 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481572 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Escalations-LDAP-DC1): id=22 type=firewall member_sz=2; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481660 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Escalations-Radius-DC1): id=28 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481665 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Escalations_FAC_Okta_Proxy): id=39 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481668 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Full-Tunnel-Escalations): id=46 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481673 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Group-from-DC1): id=40 type=firewall member_sz=2; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481697 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Group-from-DC3): id=41 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481702 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Host-Check-Local-Group): id=18 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481703 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Inspection): id=48 type=firewall member_sz=2; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481705 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(L2-FAC-Radius): id=2 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481707 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Level2-LDAP-DC1): id=23 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481710 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Nested-Admins-LDAP): id=15 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481713 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Radius-DC1-Escalations): id=45 type=firewall member_sz=2; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481716 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-ADFS-Escalations-VPN): id=32 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481719 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Development-Firewall-ip6): id=37 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481720 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Escalations-EP): id=35 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481722 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Escalations-Firewall): id=47 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481724 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Escalations-TP): id=16 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481725 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Escalations-VPN): id=11 type=firewall member_sz=2; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481727 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Level2-Firewall): id=34 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481729 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Level2-TP): id=17 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481733 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Level2-VPN): id=33 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481736 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-AZURE-Sales-Firewall-ip6): id=38 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481741 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-Development-VPN): id=9 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481746 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-Escalations-Firewall): id=24 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481751 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-IT-VPN): id=8 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481755 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-Staff-VPN): id=26 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481758 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-Student-Firewall): id=25 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481760 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-GCP-Student-VPN): id=27 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481763 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-OKTA-Employees): id=20 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481766 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML-OKTA-WinRDP): id=19 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481770 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SAML_FAC_ZTNA): id=49 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481775 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SSLVPN-Escalations-Radius): id=5 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481779 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SSL_VPN_L1-Radius): id=3 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481781 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SSL_VPN_L2-Radius): id=4 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481783 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(TACACS-ADMINS): id=6 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481786 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(VPNU): id=10 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481789 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(ZTNA-SAML-Escalations-Azure): id=42 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481792 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(pki-test): id=43 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481794 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Trusted-CA-FAC): id=16777217 type=firewall member_sz=1; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481798 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(Retail): id=7 type=guest management member_sz=0; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481801 [p:6542][s:83401][r:33554436] wad_auth_membership_match :1234 grp(SSO_Guest_Users): id=16777215 type=guest member_sz=0; user(carlos): type=firewall ms=0x7fd2e5d7bc48 ms-type=1 member_sz=11
[I]2023-03-01 10:56:28.481830 [p:6542][s:83401][r:33554436] _wad_usr_add_auth_logon :456 add user/srv: carlos/fac-saml-access-proxy with macaddr=00:00:00:00:00:00


Finally, it does not match a ZTNA policy:


[V]2023-03-01 10:56:28.798922 [p:6542][s:83409][r:33554437] wad_http_req_check_policy :12049 start match policy vd=0(ses_ctx:ct|Pv|M|H|C|A1|O) (192.168.101.71:49784@3->172.16.1.13:3389@7) absUrl=0
[V]2023-03-01 10:56:28.798938 [p:6542][s:83409][r:33554437] wad_vwl_has_intf :355 logic/phyical if_idx(3/3),fw_intf=virtual-wan-link,matched=1
[V]2023-03-01 10:56:28.798943 [p:6542][s:83409][r:33554437] wad_fw_addr_match_ap :1114 matching ap:TCP-Forwarding(14) with vip addr:TCP-Forwarding(14)
[I]2023-03-01 10:56:28.798949 [p:6542][s:83409][r:33554437] wad_http_policy_match_one :352 fw_pol_id=3(pol_ctx:th|Ad|7|=p) pflag:H|W|U|A asyn_info=1
[I]2023-03-01 10:56:28.798954 [p:6542][s:83409][r:33554437] wad_auth_rule_match :1317 match auth rule succ: FAC-SAML-Access-Proxy
[I]2023-03-01 10:56:28.798973 [p:6542][s:83409][r:33554437] wad_http_req_get_user :11620 process=6542 auth-rule=FAC-SAML-Access-Proxy user=/0/0 ip-based/auth-cookie/transact=1/0/0 tp_proxy_auth=1 auth_req=(nil) auth_line=(nil)
[I]2023-03-01 10:56:28.798980 [p:6542][s:83409][r:33554437] wad_hauth_find_user_node_ip_based :2364 auth find ip succ.
[I]2023-03-01 10:56:28.798982 [p:6542][s:83409][r:33554437] wad_http_authz_line_remove :999 req/user/active/scheme/rem: 0x7fd2e5f0b608/carlos/1/null/0
[V]2023-03-01 10:56:28.798988 [p:6542][s:83409][r:33554437] __wad_hauth_user_node_hold :2173 wad_user_node_stats_hold (495): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.798990 [p:6542][s:83409][r:33554437] __wad_hauth_user_node_hold :2173 wad_http_session_upd_user_node (7559): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.798993 [p:6542][s:83409][r:33554437] __wad_hauth_user_node_hold :2173 wad_auth_upd_usr_info (3096): holding node 0x7fd2e7278b70
[V]2023-03-01 10:56:28.798995 [p:6542][s:83409][r:33554437] __wad_hauth_user_node_hold :2173 wad_http_req_get_user (11785): holding node 0x7fd2e7278b70
[I]2023-03-01 10:56:28.798999 [p:6542][s:83409][r:33554437] __wad_fw_policy_match_user :4247 matched cached grp:NA
[I]2023-03-01 10:56:28.799003 [p:6542][s:83409][r:33554437] wad_fw_policy_async_match :5889 pol_ctx:th|Ad|7|=d
[I]2023-03-01 10:56:28.799008 [p:6542][s:83409][r:33554437] wad_http_req_policy_set :10548 match policy-id=0(pol_ctx:th|Ad|7|=d) vd=0(ses_ctx:ct|Pv|Me|H|C|A1|O) (192.168.101.71:49784@3 -> 172.16.1.13:3389@7)
[V]2023-03-01 10:56:28.799013 [p:6542][s:83409][r:33554437] wad_https_ap_pol_info_get :10360 policy info created, req=0x7fd2e5f0b608, ses_ctx=0x7fd2e5dbfa48, info=0x7fd2e60fa938
[V]2023-03-01 10:56:28.799016 [p:6542][s:83409][r:33554437] __wad_hauth_user_node_put :2184 wad_fw_pol_async_ctx_close (5069): putting node(ref=8) 0x7fd2e7278b70
[I]2023-03-01 10:56:28.799025 [p:6542][s:83409][r:33554437] wad_http_req_proc_policy :10122 ses_ctx:ct|Pvx|Me|H|C|A1|O conn_srv=0 fwd_srv=<nil>
[E]2023-03-01 10:56:28.799028 [p:6542][s:83409][r:33554437] wad_http_req_proc_policy :10145 POLICY DENIED
[I]2023-03-01 10:56:28.799030 [p:6542][s:83409][r:33554437] __wad_vs_log_policy_match_failure :146 4:TCP-Forwarding: Denied: failed to match a proxy-policy
[I]2023-03-01 10:56:28.799034 [p:6542][s:83409][r:33554437] __wad_log_etl :259 size:503 buf:0xc2e4657
[I]2023-03-01 10:56:28.799192 [p:6542][s:83409][r:33554437] __wad_http_build_replmsg_resp :705 Generating replacement message. Policy restriction! No policy matched! No end-point info found. Client certificate is provided. Timestamp: 1677696988 repmsg_id 74


The first group attribute parsed by WAD is not being used in hauth_saml_make_ms_from_grpinfo.
If the value expected is the first group in the assertion, it will not be matched by WAD.

 

Scope

 

FortiGate v7.0+, v7.2+, v7.4+, ZTNA Access Proxy, SAML.

 

Solution

 

This is a known issue registered under internal ticket 888814, which is resolved in FortiOS 7.0.13, 7.2.7, and 7.4.0.
If a firmware upgrade is not available, the workaround is to ensure the first SAML attribute sent in the assertion is not a group attribute.

864
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.