Description

This article explains why FortiClient will not prompt for credentials after first successful login using SAML method. This article also lists workarounds and future permanent solution.

Scope

FortiGate, FortiClient or Web Browser with SAML Authentication.

Solution

After the first login, SAML login credentials are cached by the embedded browser cookies, which causes subsequent login attempts to bypass credentials and MFA if configured.

This is the current behavior and the option 'Save login' does not apply to SAML authentication method.

Workaround Options:

1. For Windows clients, delete the 'Cookies' file as per KB Article below: Technical Tip: Disabling auto caching on VPN login using SAML
2. Shutdown FortiClient and re-launch it, but this option may be locked if connected to Telemetry (EMS).
3. If web-mode is used, perform login from a 'Private Window' (Firefox), 'InPrivate Window' (Microsoft Edge), or 'Incognito' (Google Chrome).
4. If FortiClient is managed by FortiClient EMS, then the On-Disconnect script may be leveraged.

From the EMS Server, edit the desired SSL VPN tunnel from a 'Remote Access' profile, and add this line to an 'On Disconnect' script:

del /s C:\users\%username%\AppData\Local\FortiClient\Network\cookies

A permanent fix is in discussion with Development and it is planned for future releases of FortiClient v6.4, v7.0, and v7.2, which should have a global option for 'Save login' to encompass the SAML authentication method as well.