Staff & Editor

Troubleshooting Tip: Getting '403 Forbidden error' message when trying to connect to SAML IPsec VPN with DUO MFA

Forum|Forum|1 year ago
November 11, 2024
0 replies
4794 views

Description

This article describes how to resolve the '403 Forbidden error' when trying to connect to the SAML IPsec VPN with DUO MFA.

Scope

FortiClient v7.2.9, v7.2.10, v7.4.0 and above.

Solution

When connecting to a SAML IPsec VPN with DUO MFA, after inputting SAML username + password + DUO MFA, FortiClient Windows shows '403 Forbidden error' and is unable to proceed:

With FortiClient EMS subscription:

This is due to incorrect (after logon SAML authentication framework) settings.

In FortiClient EMS, go to Endpoint Profile -> Remote Access -> (select profile) -> Edit -> After Logon SAML Authentication Framework -> Microsoft Edge Webview 2 -> Save.

Wait for a minute for the endpoint to sync the profile.
In the endpoint FortiClient, go to Settings -> Advanced -> Clear Cookies.

Reattempt to connect to the SAML IPSec VPN. It should be successful. Otherwise, double-check the DUO application settings, as there may be a mismatch in the IdP configuration that needs to be corrected, or it may be necessary to create another application for the connection.

Note: Without a FortiClient EMS subscription, enabling the 'Use external browser as user-agent for SAML user authentication' option also resolves this error. If the issue is on v7.2.9 or v7.2.10, the solution is to upgrade to v7.4 to use the external browser option.

Dial-up IPsec VPN with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1, FortiClient (Windows) and (macOS) v7.2.5 and v7.4.1, and FortiClient (Linux) v7.4.3. If the FortiOS version is below this version, disable the 'Use external browser as user-agent for SAML user authentication' option in the FortiClient.

Note: SAML authentication for Fortinet FortiGate requires FortiOS version 7.6.3 or later.

Related articles: