FortiClient Session Ended: Unable to connect to the NBCC VPN using FortiClient

Title: FortiClient Session Ended - Unable to connect to the NBCC VPN using FortiClient

Issue description:

When a user attempts to connect to the NBCC VPN using the FortiClient application, the connection cannot be established successfully because FortiClient is unable to authenticate using SSO and the external browser displays a message stating "Session Ended".

Signs:

FortiClient is unable to establish the VPN tunnel.
The external browser (Microsoft Edge) displays a message stating "Session Ended".
FortiClient continues showing the "Connecting to VPN" status indefinitely.

Conditions:

User is a member of 150+ groups in Entra ID.
Computer running Windows 10/11.
FortiClient application is already installed and properly configured.
Microsoft Edge is connected (user is signed-in) and synchronized with the user's NBCC account.
User is already a member of the NBCC FortiClient group in Entra ID.

Attributed cause of the problem:

The user is a member of more than 150 groups in Microsoft Entra ID (formerly Azure Active Directory), which exceeds the number of SAML assertions Azure can send in one token.

The most common cause is the use of nested groups, but users may be legitimate members of more than 150 groups.

Basic troubleshooting steps:

At this time, to resolve the issue, it is necessary to contact the Microsoft Entra ID admin so they can reach out to the user and purge the user group memberships.

Once the user group memberships are purged, the FortiClient application will be able to use SSO to establish the VPN tunnel and the external browser (Microsoft Edge) as the user-agent for SAML user authentication, allowing the user to connect to the NBCC VPN without further issues.

Support Contact:

Karthik Sugumar - Senior Technical Analyst (Microsoft Entra ID admin)

Additional resources:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-the-limitation-of-150-assertions/ta-p/262732