Skip to main content
rsm
rsm
Explorer
November 15, 2024
Solved

Forticlient SAML Authentication timeout

  • November 15, 2024
  • 1 reply
  • 19419 views

Hi there

 

We are rolling out MFA to our Forticlient VPN users. When user clicks connect a popup window appears for the SMAL idp, titled "Forticlient SAML Authentication". There is a timeout counter in the tile window that starts counting down from 300 seconds. 

When the popup appears, we can see in the FortiClient window, above the VPN Name box it says "status:connecting". The user needs to enter a login name, then a password, then a passcode, each on a different screen within the popup window. The popup closes and the user is returned to the Forticlient window which then goes through the connection stages and connects to VPN.

 

The issue we are having is that if the user does not enter their login details within 30 seconds in the popup window, when the popup closes, the "status: connecting" message disappears and no other connection messages appear and the user is not connected to VPN. Even if we do nothing in the popup window, the "status: connecting" message disappears within 60 seconds.

I've already set remoteauthtimeout to 240. I have tried changing some of the settings in the SSL-VPN settings, such as login-timeout, http-request-body-timeout and http-request-header-timeout. But we still have the same issue. 

 

We still have the same issue if we enable the option "Use external browser as user-agent for saml user authentication" 

 

I did try to connect with a standard VPN connection, i.e. without MFA. This uses the Forticlient VPN login. If a password is entered, but you wait 30 seconds before clicking connect, the password is cleared from the password box. 

 

Somewhere there is a 30 second timeout in Forticlient, where if it does not see a connection attempt, it clears the down the attempt. 

Has anyone seen this issue? Is there a timeout somewhere in Forticlient that I can set?  Or is there something else I need to set on the Fortigate?

 

For reference we are using FortiClient v.7.4.0.1658. The Fortigate is on 7.0.14. And we are using CyberArk for the MFA authentication.

 

Any help would be appreciated.

Thanks

Roy

Best answer by pminarik

You could also test 7.4.1. It's got a bunch of SAML-related fixes, maybe one of them will deal with your issue.

 

https://docs.fortinet.com/document/forticlient/7.4.1/windows-release-notes/22791/resolved-issues

1 reply

pminarik
Staff
pminarik
Staff
November 15, 2024

Both FortiGate and FortiClient track their own timeouts, and in FCT versions 7.2.4+ it's not coordinated. FCT has static 300 seconds, while FortiGate's timeout is configurable, with default being 25 seconds.

 

It is set in:

config system global

set remoteauthtimeout <X> (5-300 seconds, default 5)

end

 

Note that for SAML the actual value used is <remoteauthtimeout> + 20.
I would recommend setting it to somewhere around 280-300 if you use only SAML for remote authentication. If you're using other methods (LDAP, RADIUS) be aware that this option influences them as well, so if there happens to be connectivity issues  with the LDAP/RADIUS server, you may see a long waiting period before that fails out (if you use a high value for remoteauthtimeout).

rsm
rsmAuthor
Explorer
November 15, 2024

We had the remoteauthtimeout setting on the Fortigate already set to 240. I have actually increased it to 300 but it makes no difference.

If I use a browser, i am able to login successfully using the SAML authentication even if I take more than 2 minutes to enter my username, password and code. Therefore I don't believe the issue on the gateway.

The issue appears to be that FortiClient call the SAML idp authentication process, which requires a popup window. Once I have entered my username, then password, then code and click connect, that is when the popup closes and "control" is passed back to Forticlient. But if this takes more than 30-45 seconds, then Forticlient has timed out and VPN is not established. 

 

However, in the CyberArk MFA portal, I can see successful authentications, so the popup window is communicating the IDP absolutely fine and as expected. 

 

Thanks

Roy 

pminarik
Staff
pminarik
Staff
November 15, 2024

I am personally not a fan of vague advice like this... but I've seen lots of complaints about FCT 7.4.0. Any chance you can go back a bit and try something like 7.2.5? That seems to run fine as far as I can see.

 

There is one more knob you can try tweaking:

config vpn ssl setting

set login-timeout <X> <10-180, default 30, seconds>

end

 

Terms & ConditionsAccessibility statement