Technical Tip: FortiClient Caching SSL VPN SAML Authentication

Description

This article describes why FortiClient will not prompt for credentials after the first successful login using the SAML method. This article also lists workarounds and a future permanent solution.

Scope

FortiGate, FortiClient, or Web Browser with SAML Authentication.

Solution

Once a user is redirected to an IDP by a SP, the IDP is responsible for authenticating the user and asserting relevant SAML authentications in the browser cookie.

After the first login, SAML login credentials are cached by the embedded browser cookies, which causes subsequent login attempts to bypass credentials and MFA if configured.

This is the current behavior, and the option 'Save login' does not apply to the SAML authentication method.

Workaround Options:

1. For Windows clients, delete the 'Cookies' file as per the KB Article below: Technical Tip: Disabling auto caching on VPN login using SAML.
2. Shutdown FortiClient and re-launch it, but this option may be locked if connected to Telemetry (EMS).
3. If web-mode is used, perform login from a 'Private Window' (Firefox), 'InPrivate Window' (Microsoft Edge), or 'Incognito' (Google Chrome).
4. If FortiClient is managed by FortiClient EMS, then the On-Disconnect script may be leveraged.

From the EMS Server, edit the desired SSL VPN tunnel from a 'Remote Access' profile, and add this line to an 'On Disconnect' script:

del /s C:\users\%username%\AppData\Local\FortiClient\Network\cookies

Or:

del /s C:\users\%username%\AppData\Roaming\FortiClient\Network\*.*/q

A permanent fix is in discussion with Development, and it is planned for future releases of FortiClient v6.4, v7.0, and v7.2, which should have a global option for 'Save login' to encompass the SAML authentication method as well.

Related documents:
Configuring SAML SSO in the GUI

Technical Tip: How to fix crashing SAML daemon

Technical Tip: How to read SAML Debug output

Technical Tip: A basic explanation of SAML authentication

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP

Configuring SAML SSO in the GUI

Technical Tip: Configuring SAML SSO login for FortiGate Admin Web GUI Access with JumpCloud acting as SAML IdP

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Okta acting as SAML IdP

Configuring single-sign-on in the Security Fabric

Technical Tip: Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP when Security Fabric is enabled'

Technical Tip: Set up SAML admin LDAP login on FortiGate (SP) with FortiAuthenticator (IDP)

Technical Tip: Configuring FortiGate SSO Administrators with ADFS as SAML IdP

Technical Tip: Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) for Administrator login

Troubleshooting Tip: Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1

Technical Tip: Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP

Technical Tip: Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP