FortiAuthenticator forceAuthn SAML parameter

Forum|Forum|1 year ago
March 27, 2025
4 replies
1339 views

Recently, I have configured FAC to act as an IdP proxy for Azure for a gate SSL VPN. The primary objective is to use EntraID and EntraID MFA for all company users. In my lab environment, it works pretty well, but on the production endpoint (i.e., with enterprise-enrolled endpoints), it doesn't ask for MFA. It seems to be related to AzureAD PRT and appears to be an issue with Azure rather than FAC problem.

However, I found that it is possible to send the forceAuthn=true attribute in the SAML request. Cannot find how to obtain it in FAC.

Anyone have already facing the same problem ? Did anyone solve it ?

Thx

Anthony_E

Staff

Hello Rafal,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello Rafal,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Best Regards

Anthony_E

Staff

Hello Rafal,

May I invite you to open a ticket with out support?: https://support.fortinet.com/welcome/#/

Thanks a lot in advance.

Regards,

Best Regards

rafalmAuthor

Visitor III

Just a quick update.

At last I have solved this issue by using integrated FortiClient browser.

I have also find some interesting ways on azure conditional access for this application. I'm able to check Forticlient request and force MFA again. Btw it require conditional access configuration and the problem is not relaying in FAC.

Maybe it will be a greate suggestion for fortient R&D team to add attribute ForceAuthn in SAML configuration.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded