Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff
Staff

Created on ‎02-04-2024 09:19 PM

Article Id 297603

Technical Tip: FortiClient SSL VPN Login with Azure Conditional Access Policy

Description

This article describes that when attempting to connect SAML VPN Login with the configured Azure Conditional Access Policy, FortiClient will load indefinitely and eventually fail to connect.

 

Explanation:

https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

 

  • This additional compliance checking from Azure is dependent on the 'Primary Refresh Token' (PRT).
  • PRT technology requires 'The Azure WAM plugin', which is available only in the top 3 browsers Edge, Chrome, and Firefox.
  • FortiClient built-in browser does not have this 'Azure WAM plugin'.
Scope FortiClient v7.0.2 and v7.2.x above.
Solution

If 'Azure Conditional Access Policy' is configured in SAML VPN Login, enable 'Use External Browser as User-agent for SAML Login' in the endpoint Remote Access profile:

 

use-ext-browser1.PNG


This will allow FortiClient to pop up the endpoint's default browser for it to perform compliance matching, instead of using FortiClient built-in browser which does not support the feature.
410
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.