Troubleshooting Tip: FortiClient prompted to select a certificate even when SAML SSL VPN tunnel is not configured for certificate authentication

Set up a regular SAML SSL VPN tunnel: Configuring SAML SSO login for SSL VPN with Entra ID acting as SAML IdP

When a user tries to connect to the SSL VPN, FortiClient prompts to select a certificate before directing to the SAML login page.

This issue may happen in the Technical Tip: Implementing device-based Conditional Access policy on Microsoft Azure for FortiClient SSL VPN users scenario as well.
Note: The User can either select 'OK' or 'CANCEL', or close the window to proceed with the VPN connection, just that this prompt may confuse the user.

Verification steps on the issue:

Perform checks below on the FortiGate side to ensure:

• No auth-cert is configured in the portal.
• 'reqclientcert' in the config vpn ssl settings is already disabled.
• SAML (Microsoft Entra ID) is the sole authentication method.
• No client certificates are provisioned or intended for use.
• No PKI users are added to the user group.

If the above have been checked and verified, then the only root cause left is that the SSL certificate used by the VPN gateway has 'TLS Web Client Authentication' as EKU (Extended Key Usage).

In a web browser, browse to the SSL VPN gateway, view the SSL certificate, and check on the EKU (Extended Key Usage) information:

• TLS Web Server Authentication.
• TLS Web Client Authentication. <-----

Despite no configuration requiring client certificates, this EKU alone triggers the FortiClient prompt.

Solution:

Check if the FortiGate SSLVPN certificate has changed recently (especially if it is renewed by ACME (Automatically provision a certificate).

1. If the cert is generated by ACME, it will have 'TLS Web Client Authentication', then this behavior is expected.
2. Replace the SSL certificate with another certificate that has only 'TLS Web Server Authentication', and without 'TLS Web Client Authentication'.