Forticlient VPN - SAML SSO Azure AD - credentials cache

Also noticed this and would be interested in a solution

Hey Marco,

as far as I know: If FortiClient is not closed properly, it will still have the SAML cookie stored (and Azure SAML IdP will also still have the SAML session, as no logout was sent to it).

When establishing VPN again, FortiGate will redirect the client to Azure for SAML login, and at that point FortiClient will present the stored cookie, which Azure will accept because it also still has the SAML session, and the user is considered logged in without needing to input credentials.

-> if you clear the existing session in Azure, that should also enforce a new login

-> I tested this a bit with FortiAuthenticator serving as IdP; FortiAuthenticator retained an IdP session for the FortiClient login unless there was a proper logout with a SAML assertion sent to the IdP logout URL; I assume Azure behaves similarly with retaining the session until it times out if no explicit assertion was sent to the logout URL.

I'm not aware of any configuration option to have FortiClient purge its cache if SSLVPN is dropped instead of properly logged out, and there is no setting on FortiGate to have it send a logout request to Azure SAML IdP if VPN drops.

This would probably require some kind of feature request to straighten out.

Here is how i was able to resolve this through Group Policy.

First created a simple .bat file that does 2 things:

-Kills forticlient.exe

-Deletes Cookies and Cookies-journal files

Save the following as forticlient_delete_cookies.bat

-----------------------------

@echo off

taskkill /IM "FortiClient.exe"

del /f C:\Users\%username%\AppData\Local\FortiClient\Cookies

del /f C:\Users\%username%\AppData\Local\FortiClient\Cookies-journal

@echo off

----------------------------------

This closes the Forticlient Console GUI as it is using the required files we need to delete. The user will stay connected to vpn and this will not interfere with their established connection, and just need to relaunch shortcut or open from app tray in bottom right corner of screen to bring the gui back up.

 

GPO:

I created a GPO that does two things:

 

-Copies the .bat file from a network share drive reachable by the end users machine via VPN at the same location of the cookies files:

C:\Users\%username%\AppData\Local\FortiClient\

 

-Creates a task schedule to run the .bat twice a day and when the user reboots.

 

 

Tested in a new GPO over VPN with a user that has no administrator permissions to machine.

Brilliant!

Thanks for the detailed breakdown which I will take a look at.

For me, I am keen to preserve the UPN element when users next sign on so all they need to is

enter in their password (or matching code number).

Right now I have DUO set up for MFA with the password cached so all users do is authorise the push authentication prompt on their DUO mobile app.

Just trying to balance convenience with security. Suspect users will baulk at the idea of enter of all the extra steps they would need to do to sign in via Azure SSO.

Preserving the UPN is the halfway house I am after.

As I understand it, you do need FortiOS 7.x as well (to read and presence the user agent string) but I am only running 6.x on the Firewall at the moment.

Since users login using Windows hello PIN code, I am aiming for passwordless authentication for the VPN as well, hence the move to SAML authentication.