Skip to main content
mkuhn79
mkuhn79
New Member
April 1, 2022
Solved

FortiClient & SSO with Windows Hello for Business

  • April 1, 2022
  • 4 replies
  • 9289 views

Hey guys

we are looking for a VPN solution for our Azure AD joined Notebooks. We have configured Hello for Business and login with Face-ID or PIN. Is the FortiClient able to connect the VPN with SAML and without user interaction (Usertunnel)?

 

We would have a Conditional Access Policy in AAD to make sure that only compliant devices and mfa are allowed to use SAML.

 

Thanks for your help on this.

 

Best regards

Marc

Best answer by Markus_M

Hi Marc,

 

I don't think FortiClient knows about Windows Hello. SAML will additionally need a password to use, it won't be able to use whatever keystore Windows Hello stores its stuff against (nothing should be able to read that).

 

Best regards,

 

Markus

4 replies

Markus_M
Staff & Editor
Markus_MAnswer
Staff & Editor
April 2, 2022

Hi Marc,

 

I don't think FortiClient knows about Windows Hello. SAML will additionally need a password to use, it won't be able to use whatever keystore Windows Hello stores its stuff against (nothing should be able to read that).

 

Best regards,

 

Markus

mkuhn79
mkuhn79Author
New Member
April 2, 2022

Hi Markus

we tested  also the Netmotion Mobility Client witch is able to accomplish this. Login with SAML to AAD with Hello for Business with zero User action requiered. So we were looking for that for the Forticlient.

 

But thanks for your help.

 

Best regards

Marc

skylarsmsith
skylarsmsith
New Member
October 20, 2022

Are you sure a VPN is the best solution? It seems to me that you need to consult with professionals who can advise you on more secure methods of logging into windows.

fnoel
fnoel
New Member
February 13, 2023

Hello,

I prefer to use this already existing topic instead of opening a new one.

 

Much like @mkuhn79 we are setting up windows hello for business for all our users, we already use forticlient to connect via SSL VPN, but using LDAP connection (asking once again for the user password)

We now plan to make them use 2FA (via Windows Hello for Business mainly) to connect to the VPN. SAML configuration works with my test users, but i can only connect to my Azure account using password + 2FA (sms or autheticator). I don't understand why the Windows Hello for Business option is not even showed. I tried to use SAML for SSO on other apps, and it works just fine with Windows Hello for Business.

 

Is there something missing in Fortinet configuration i could have missed ?

 

Pardon my english, thanks in advance for any anwser

Regards,

Florian

Terms & ConditionsAccessibility statement