Skip to main content
damianhlozano
damianhlozano
Explorer II
March 30, 2026
Solved

Active authentication using SAML

  • March 30, 2026
  • 4 replies
  • 214 views

Hello team!!!

 

Some time ago I asked some questions here about FGT-Entra ID synchronization using SAML

Now finally I could make it work with Fortinet Support.

Just 1 question about this:

When the user will be prompted to enter credentials again?

 

I tried restarting the Client OS and the credentials were not asked, just were asked the first time I tried to navigate.

 

Thanks in advance.

Regards,

Damián

 

 

I just tes

 

Best answer by Jean-Philippe_P

Hello Damian :)

 

I found this solution, can you tell us if it helps, please?

 

When using SAML authentication, the behavior you are experiencing is due to the caching of login credentials by the browser cookies. This is a common scenario where, after the first successful login, subsequent login attempts do not prompt for credentials again. Here’s a detailed explanation and some workarounds:

 

Why are credentials not prompted again

Cookie Caching: After the first login, the SAML login credentials are cached by the embedded browser cookies. This means that even if you restart the client OS, the credentials are still stored in the browser's cookies, allowing automatic login without prompting for credentials again.

 

Workarounds to Prompt for Credentials Again

  1. Delete Cookies: For Windows clients, you can manually delete the 'Cookies' file. Refer to this Technical Tip for detailed instructions on how to disable auto-caching on VPN login using SAML.

  2. Use Private Browsing Mode: If you are using a web browser, perform the login from a 'Private Window' (Firefox), 'InPrivate Window' (Microsoft Edge), or 'Incognito' (Google Chrome). This mode does not save cookies, so you will be prompted for credentials each time.

  3. FortiClient EMS Management: If FortiClient is managed by FortiClient EMS, you can leverage the On-Disconnect script to delete cookies. This involves editing the SSL VPN tunnel from a 'Remote Access' profile on the EMS Server and adding a script to delete cookies.

 

Future Solutions: A permanent fix is being discussed for future releases of FortiClient versions 6.4, 7.0, and 7.2. This fix aims to include a global option for 'Save login' that will encompass the SAML authentication method.

 

Follow-ups and Clarification Questions

  • Are you using a specific browser or FortiClient version that might have additional settings affecting this behavior?
  • Is your FortiClient managed by FortiClient EMS, and do you have access to configure On-Disconnect scripts?
  • Would you like more detailed instructions on any of the workarounds mentioned above?

4 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 2, 2026

Hello Damian :) 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 3, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_PAnswer
Staff & Editor
April 7, 2026

Hello Damian :)

 

I found this solution, can you tell us if it helps, please?

 

When using SAML authentication, the behavior you are experiencing is due to the caching of login credentials by the browser cookies. This is a common scenario where, after the first successful login, subsequent login attempts do not prompt for credentials again. Here’s a detailed explanation and some workarounds:

 

Why are credentials not prompted again

Cookie Caching: After the first login, the SAML login credentials are cached by the embedded browser cookies. This means that even if you restart the client OS, the credentials are still stored in the browser's cookies, allowing automatic login without prompting for credentials again.

 

Workarounds to Prompt for Credentials Again

  1. Delete Cookies: For Windows clients, you can manually delete the 'Cookies' file. Refer to this Technical Tip for detailed instructions on how to disable auto-caching on VPN login using SAML.

  2. Use Private Browsing Mode: If you are using a web browser, perform the login from a 'Private Window' (Firefox), 'InPrivate Window' (Microsoft Edge), or 'Incognito' (Google Chrome). This mode does not save cookies, so you will be prompted for credentials each time.

  3. FortiClient EMS Management: If FortiClient is managed by FortiClient EMS, you can leverage the On-Disconnect script to delete cookies. This involves editing the SSL VPN tunnel from a 'Remote Access' profile on the EMS Server and adding a script to delete cookies.

 

Future Solutions: A permanent fix is being discussed for future releases of FortiClient versions 6.4, 7.0, and 7.2. This fix aims to include a global option for 'Save login' that will encompass the SAML authentication method.

 

Follow-ups and Clarification Questions

  • Are you using a specific browser or FortiClient version that might have additional settings affecting this behavior?
  • Is your FortiClient managed by FortiClient EMS, and do you have access to configure On-Disconnect scripts?
  • Would you like more detailed instructions on any of the workarounds mentioned above?
Jean-Philippe - Fortinet Community Team
damianhlozano
damianhlozanoAuthor
Explorer II
April 7, 2026

Thank you Jean-Philippe_P!

In this case, I need to synchronize with AD to use these users in different policies

I used ms edge, but we can use different browsers

Clients have not FortiClient in this place.

 

I think I prefer to deauthenticate users directly on Fortigate instead of delete cookies, but thanks for your answer.  I appreciate this a lot!!!

 

Regards,

Damián

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
April 7, 2026

Glad that it could help! :)

Jean-Philippe - Fortinet Community Team
Terms & ConditionsAccessibility statement