Skip to main content
Icebun
Icebun
Explorer II
April 22, 2022
Question

SSL VPN Azure SAML Authentication behaviour

  • April 22, 2022
  • 4 replies
  • 5879 views

Environment

Fortigate 6.2.4

EMS 6.2.4

 

Forticlient 6.2.4

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then  MFA prompt.

The prompt reoccurs every time the VPN needs to be established.

Is it correct that you need to run Fortigate/EMS on at least V7.0 to get the user-agent option to work so the following gets picked up (rather having to keep typing in the email address?

Icebun_0-1650640372680.png

 

 

Forticlient 7.0.2 (Free version)

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then MFA prompt.

Beyond that point the user is not prompted for their credentials when reconnecting the VPN.

Does anyone know how long the credentials are cached and where they are actually stored in case you need to clear them down?

 

 

4 replies

A
Anonymous_User
New Contributor III
April 25, 2022

Hello Icebun, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

 Fortinet Community Team 

jie
Staff
jie
Staff
April 25, 2022

Hi Icebun, 

 

This feature has been improved from Forticlient version 6.4, you can try with 6.4.6 and see the different behaviour. 

 

 

seshuganesh
Staff
seshuganesh
Staff
April 25, 2022

Hi Team,

 

we need to check in azure settings.

This is the purpose of using SAML SSO. So the first time you connect and do the authentication, a session will be established in idP (Azure) and accordingly the session ID will be saved in the cookie of FortiClient. As long as the cookie is valid (not sure about Azure settings, but could be around 8 hours), Azure will issue the assertion without triggering the authentication.
In older versions of FortiClient, support of cookie for FortiClient had not been fully implemented and as a result, every time the users wanted to connect to VPN, they had to put in the credentials again.
The only way you can force re-authentication for each connection attempt is to remove the cookie of FortiClient manually (i believe you need to remove from temp folder in windows)

 

 

Icebun
IcebunAuthor
Explorer II
April 25, 2022

Thanks for all the responses, I am pursuing an option to upgrade to 7.x EMS so I think this might help resolve some of the issues.

 

 

Icebun
IcebunAuthor
Explorer II
June 3, 2022

I have now upgraded to EMS 7.0.4 and can now deploy EMS Forticlient 7.0.5.

 

When signing in with SAML, I can see that I do not need sign in again with my O365 credentials whilst the cached cookie maintains the credentials details.

 

Does anyone know if it is possible to pre-capture the email address so the user only needs to enter in the password?

 

 

Terms & ConditionsAccessibility statement