This article describes how to fix two errors that may occur in SSL VPN configurations with SAML authentication for MFA on Azure Entra.
If there is a mismatch or missing username or group claims on Azure, the FortiGate will reject the connection due to either of the following errors:
- ‘No username info in SAML response’
- ‘No group info in SAML response’
Scope
FortiGate – SSL VPN – SSO – Azure Entra.
Solution
Step 1: Login to Azure and access the Entra app for FortiGate.
Step 2: Select the ‘SSO’ option.
Step 3: Under the ‘Attributes & Claims’ section, make sure that the attribute ‘username’ is listed with claim ‘user.userprincipalname’.
Step 4: If this is missing, add a new claim by following these steps:
- Select the edit button on this section.
- Select ‘Add new claim’.
- Next to ‘Name’, enter ‘username’.
- Next to ‘Source attribute’, select ‘user.userprincipalname’ and then select ‘Save’.
Step 5: The same can be done for the ‘groups’ claim if it is missing from the same ‘Attributes & Claims’ section where the ‘Attribute’ ‘Name’ is ‘groups’ while the ‘Claim’ field should hold the value ‘user.groups’.
Step 6: One important note is to make sure these attribute names are an exact match under the FortiGate ‘user saml’ configuration including, letter case sensitivity.
Step 7: To view SAML config in the FortiOS CLI:
config user saml edit “Azure” set user-name “username” set group-name “groups” …………. next end
Step 8: Troubleshooting the SSL VPN and SAML involves running the debug commands below:
diagnose debug reset diagnose debug application sslvpn -1 diagnose debug application fnbamd -1 diagnose debug console timestamp enable diagnose debug enable