Sometimes after upgrading FortiClient to a newer version, the user may experience the below 'Script Error' when trying to connect to SAML VPN: (both SSL VPN and IPsec VPN).

Scenario 1: 'Access is denied' error.

To resolve this, there are a few options:

1. Enable 'Use External Browser as User-agent for SAML Login' in the EMS Endpoint Remote Access profile.
   
   

This setting will allow FortiClient to launch the default external web browser, and allow end users to log in using the web browser instead of the FortiClient embedded web browser.

2. Edit the Group Policy to allow FortiClient to run the script necessary to perform the connection:

Start -> Edit Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Internet Zone:
'Websites in less privileged Web content zones can navigate into this zone' has to be set to enable or not configured.

Once this option is set to enable or not configured, the 'Script Error' message will no longer prompt.

3. Enable the option <use_gui_saml_auth> in the endpoint profile XML.
   

   In EMS -> Endpoint Profiles -> (select appointed profile) -> Edit -> XML view -> set <use_gui_saml_auth> to 1 -> Save the profile.
   
   

Note that when applying option no.3, the SAML VPN behavior will follow as described in the SSL VPN docs guide.

4. Add the remote VPN gateway FQDN or IP in Trusted Site Zone.

Start -> Type: Internet Option -> Security tab -> Select Trusted sites -> Add the remote VPN gateway FQDN or IP -> OK.

Scenario 2: 'Invalid character' error.

To resolve this, there are a few options:

1. Here, the internal browser is used for SAML authentication.
2. The solution is to enable 'use_gui_saml_auth' in the FortiClient endpoint XML profile.

The configuration will look like this:

    <use_gui_saml_auth>1</use_gui_saml_auth>

A more detailed explanation and behavior when the test machine is joined to Entra ID domain is provided in the XML Reference Guide.