Hi FWB admins In FortiWeb, when using SAML authentication to access a protected server, can FWB protect against Credential Stuffing?I think something in the admin guide says it does when using site publish, but it is not 100% clear if it does.https://docs.fortinet.com/document/fortiweb/7.4.10/administration-guide/272565 So the three questions are:Does FWB protect against credential stuffing when using SAML authentication via site publish?And does it protect against it when using SAML authentication directly with the protected server without using FWB's site publish?And in case you confirm it does then please explain how it can, given that the authentication is between the client and the IdP

AEK

SuperUser

Question

FWB, SAML and Credential Stuffing

Forum|Forum|7 months ago
November 2, 2025
1 reply
323 views

Hi FWB admins

In FortiWeb, when using SAML authentication to access a protected server, can FWB protect against Credential Stuffing?

I think something in the admin guide says it does when using site publish, but it is not 100% clear if it does.

https://docs.fortinet.com/document/fortiweb/7.4.10/administration-guide/272565

So the three questions are:

Does FWB protect against credential stuffing when using SAML authentication via site publish?
And does it protect against it when using SAML authentication directly with the protected server without using FWB's site publish?
And in case you confirm it does then please explain how it can, given that the authentication is between the client and the IdP

FortiWEB

ElwinBERRAR

Explorer III

When SAML authentication is used, FortiWeb doesn’t actually see the user’s credentials, since authentication happens directly between the client and the Identity Provider (IdP). Because of that, FortiWeb can’t apply its usual credential-stuffing protections in that flow. If you enable Site Publish, FortiWeb becomes part of the authentication path.

It can then analyze login attempts, detect repeated credential reuse, and apply rate-limiting or CAPTCHA before sending credentials to the IdP. That’s the only case where its credential-stuffing protection applies. When SAML is configured directly between the client and the protected server, the login process bypasses FortiWeb’s controls, so credential-stuffing detection won’t work in that setup.

To prevent such attacks in that case, you’d need to rely on the IdP’s own protections or additional WAF rules focusing on abnormal request patterns.

AEKAuthor

SuperUser

Thanks for your feedback.

Did you have the chance to test it? Currently I don't have a valid license to do the tests.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded