FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 211311


This article explains why FortiClient will not prompt for credentials after first successful login using SAML method. This article also lists workarounds and future permanent solution.




FortiGate, FortiClient or Web Browser with SAML Authentication.




After the first login, SAML login credentials are cached by the embedded browser cookies, which causes subsequent login attempts to bypass credentials and MFA if configured.

This is the current behavior and the option 'Save login' does not apply to SAML authentication method.

Workaround Options:

1) For Windows clients, delete the 'Cookies' file as per KB Article below:

Technical Tip: Disabling auto caching on VPN login using SAML

2) Shutdown FortiClient and re-launch it, but this option may be locked if connected to Telemetry (EMS).

3) If web-mode is used, perform login from a "Private Window" (Firefox), "InPrivate Window" (Microsoft Edge), or "Incognito" (Google Chrome).

4) If FortiClient is managed by FortiClient EMS, then On-Disconnect script may be leveraged.
From EMS Server, edit the desired SSL VPN tunnel from a "Remote Access" profile, and add this line to a "On Disconnect" script:

del /s C:\users\%username%\AppData\Local\FortiClient\cookies



A permanent fix is in discussion with Development and it is planned for future releases of FortiClient 6.4, 7.0, and 7.2, which should have a global option for 'Save login' to encompass SAML authentication method as well.