Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor

Created on ‎05-05-2022 08:14 PM Edited on ‎10-20-2025 10:49 PM By Community Manager

Article Id 211311

Technical Tip: FortiClient Caching SSL VPN SAML Authentication

Description

 

This article explains why FortiClient will not prompt for credentials after the first successful login using the SAML method. This article also lists workarounds and a future permanent solution.

 

Scope

 

FortiGate, FortiClient, or Web Browser with SAML Authentication.

 

Solution

 

After the first login, SAML login credentials are cached by the embedded browser cookies, which causes subsequent login attempts to bypass credentials and MFA if configured.

This is the current behavior, and the option 'Save login' does not apply to the SAML authentication method.

Workaround Options:

  1. For Windows clients, delete the 'Cookies' file as per KB Article below: Technical Tip: Disabling auto caching on VPN login using SAML
  2. Shutdown FortiClient and re-launch it, but this option may be locked if connected to Telemetry (EMS).
  3. If web-mode is used, perform login from a 'Private Window' (Firefox), 'InPrivate Window' (Microsoft Edge), or 'Incognito' (Google Chrome).
  4. If FortiClient is managed by FortiClient EMS, then the On-Disconnect script may be leveraged.

From the EMS Server, edit the desired SSL VPN tunnel from a 'Remote Access' profile, and add this line to an 'On Disconnect' script:

del /s C:\users\%username%\AppData\Local\FortiClient\Network\cookies

CarlosColombini_1-1671998540812.png

 

A permanent fix is in discussion with Development, and it is planned for future releases of FortiClient v6.4, v7.0, and v7.2, which should have a global option for 'Save login' to encompass the SAML authentication method as well.

Related documents:
SAML SSO configuration from Web GUI

SAML daemon crashing when ECC or DSA certificates are used

How to read SAML Debug output

Illustrated explanation of SAML authentication

SAML SSO for Admins - Azure as IdP

SAML SSO configuration from Web GUI

SAML SSO for Admins - JumpCloud as IdP

SAML SSO for Admins - Okta as IdP

SAML SSO with Security Fabric

Configuring SAML on FortiGate displays the error 'Cannot change this setting in SP when Security Fab...

Set up SAML admin LDAP login on Fortigate (SP) with FortiAuthenticator (IdP)

Configuring FortiGate SSO Administrators with ADFS as SAML IdP

Using single Azure Enterprise Application for multiple SAML Service Providers (SPs) for Administrato...

Admin authentication with SAML SSO breaks after upgrade to firmware 7.4.1

Configure SAML SSO for WiFi SSID over Captive Portal with Azure AD as IdP

Configuring SAML SSO login for FortiGate administrators with Entra ID acting as SAML IdP

40244
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.