Technical Tip: Clearing browser cookie using FortiClient EMS to prevent SAML authentication bypass

smaruvala · ‎04-24-2024

Description

This article descries that FortiClient provides the flexibility to choose either an external browser or a FortiClient-embedded browser for SAML authentication. If an external browser is used then the credentials are cached in browser cookies.

This will lead to bypassing authentication when the user reconnects to FortiClient.

This negates the Single Log Out feature of SAML. The KB article explains how this can be solved using the FortiClient EMS setting.

Scope

FortiClient v7.2, FortiClient EMS v7.2

Solution

From the FortiClient EMS Server, edit the desired SSL VPN tunnel from a 'Remote Access' profile, and add the command in the 'On Disconnect' script.

Depending on the default browser the location of the Cookie file will be different. For the Google Chrome browser the cookie is stored in the C:\users\%username%\AppData\Local\Google\Chrome\"User Data"\Default\Network\Cookies.
The configuration file shows the command entered in the On Disconnect Script section.

The command will be executed once the FortiClient VPN is disconnected and the cookies file will be deleted.

To clear cookies on Free FortiClient VPN versions, follow these steps:
Navigate to 'Settings' -> navigate under the 'Advanced Tab' -> select 'Clear Cookies'.

Technical Tip: Clearing browser cookie using FortiClient EMS to prevent SAML authentication bypass

You are leaving our website