Skip to main content
dankalmick
dankalmick
New Member
February 6, 2025
Solved

Forticlient 7.2.8 IPSec Clear SAML cache/cookies (Entra/Azure)

  • February 6, 2025
  • 4 replies
  • 4611 views

We just had to revert to Forticlient VPN (free) 7.2.8 for IPSec with SAML and we're running into an issue with the inline webbrowser staying logged into the wrong Entra account (we support multiple clients). I can't find a way to clear the cookies. I've used the button within the app, deleted everything I could find in the Appdata\local\forticlient dir. cleared cached for microsoft in Chrome and Edge and Internet Explorer. I can't get it to shake my Entra joined Windows credentials. Does anyone know how to get it so that I get prompted for Microsoft credentials at each login. This was working earlier today and now doesn't.

Best answer by MZBZ

Support of Electron (as internal browser framework) for IPsec SAML authentication will be included in FortiClient 7.2.9+.
This is already available in 7.4.1+ and the change is to introduce this feature for 7.2 branch.

4 replies

dankalmick
dankalmickAuthor
New Member
February 6, 2025

It appears that this is 'a feature' 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-SAML-Authentication-Configuration/ta-p/369318

 

How do you make Forticlient 7.2.8 ignore your Entra joined account and just prompt you for credentials. This was working just fine in 7.4, i'm assuming because it's using a different browser? But I need a flag or something to say, ignore Entra joined session.

    MZBZ
    Staff
    MZBZ
    Staff
    February 8, 2025

    export the setting file from FortiClient. Change the value of <after_logon_saml_auth> to use Electron or Microsoft Edge WebView2 and save it. Import it back into FortiClient.

    More details here: https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-SAML-Authentication-Configuration/ta-p/369318

     

    dankalmick
    dankalmickAuthor
    New Member
    February 8, 2025

    <after_logon_saml_auth> is only supported in FCT 7.4.x, we're using 7.2.8

    dankalmick
    dankalmickAuthor
    New Member
    February 8, 2025

    We were experiencing a feature bug. TAC gave me a interim build of 7.2.9 which honors the <use_gui_saml_auth>1</use_gui_saml_auth> flag, but you have to put it in the <sslvpn> space instead of the <ipsecvpn> space even though we're using IPSec VPN SAML. 

     

    TL;DR upgrade to 7.2.9 and issue the flag to use the chromium based browser, doesn't default to using default Windows Entra joined user.

    MZBZ
    Staff
    MZBZAnswer
    Staff
    February 8, 2025

    Support of Electron (as internal browser framework) for IPsec SAML authentication will be included in FortiClient 7.2.9+.
    This is already available in 7.4.1+ and the change is to introduce this feature for 7.2 branch.

    Terms & ConditionsCookie settingsAccessibility statement