Skip to main content
miciti
miciti
Visitor III
June 23, 2025
Solved

FortiClient remote access: set browser to use for external saml login

  • June 23, 2025
  • 3 replies
  • 2973 views

Hello everyone,

 

I have a working configuration for remote accesssing via VPN and SAML (Microsoft Entra). 

 

I am trying to restrict the access to the VPN on only specific devices. It does work when FortiClient uses external saml via edge browser. But when someone has set a different browser (e.g. firefox) as default and FortiClient uses Firefox to provide the SAML login, there are some background informations missing which are needed in entra. 

These information seems to be only available when using edge as browser (shown by my testing). 

 

Is there any way to set edge as browser for using saml and not the machines default browser?

Best answer by miciti

After some testing, I found that setting 'After logon SAML authentication framework' to 'Web browser' made everything work as expected.

On hybrid-joined devices with Active Hello for Business, I can connect to the VPN without providing any additional login details, and Entra retrieves the necessary information from the device.

 

Edit: There is an option in Firefox called 'Windows SSO' which is disabled by default. Enabling it allows Firefox to access the Windows login. It seems that, at least as a quick test, it provides the necessary information for Entra and conditional access.

3 replies

fg_muc
fg_muc
Explorer III
June 23, 2025

Hi,

 

I would assume that the FortiClient is simply referring to the “system default” of the operating system as an external browser and that it is not launched directly on the FortiClient.


However, I am also interested in the solution if available.
Maybe someone has a way of mapping this.

ebrlima
Staff
ebrlima
Staff
June 23, 2025

I believe something in this doc might help you:

 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-SAML-Authentication-Configuration/ta-p/369318

    miciti
    micitiAuthorAnswer
    Visitor III
    July 7, 2025

    After some testing, I found that setting 'After logon SAML authentication framework' to 'Web browser' made everything work as expected.

    On hybrid-joined devices with Active Hello for Business, I can connect to the VPN without providing any additional login details, and Entra retrieves the necessary information from the device.

     

    Edit: There is an option in Firefox called 'Windows SSO' which is disabled by default. Enabling it allows Firefox to access the Windows login. It seems that, at least as a quick test, it provides the necessary information for Entra and conditional access.

      Terms & ConditionsAccessibility statement