Skip to Content

How to troubleshoot for SSO Remote Role does not match with FPC role

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes how to troubleshoot for SSO ‘Remote Role does not match with FPC role’ error message.

Sample error message:

FPC Role Error Message

Scope

FortiPortal v7.2 and above

Troubleshooting

Use SAML debugging browser extension (Eg: SAML Tracer) to verify the SAML Attributes:

FPC SSO Debug

Verify if the Identity Provider (IdP) server is passing the correct Role attribute to FortiPortal.
Verify if FortiPortal has the correct SSO Role/Profile configured: FortiPortal (Administrator) GUI > System > Settings > Authentication > Edit Remote Server > View SSO Profiles.

FPC SSO Role

Analyze FortiPortal System Logs for verbose debug output: FortiPortal (Administrator) GUISystem > Settings > General > System Logs > Export.

FPC Export System Log

FPC Debug Log

In this example, the IdP server is passing SSO role ‘sso_cust_read’ but FortiPortal showing ‘no matched role’ in debug logs
This is due to the FortiPortal SSO Role/Profile list not having ‘sso_cust_read’.

Solution

Proceed to create a new FortiPortal SSO Role/Profile ‘sso_cust_read’ -> Save.

FPC Role Create

Once done, proceed to log in with the SSO user and verify the result:

FPC Login Success