Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎08-07-2023 10:48 PM Edited on ‎09-11-2024 09:33 PM By Community Manager

Article Id 267878

Technical Tip: Implementing device-based Conditional Access policy on Microsoft Azure for FortiClient SSL VPN users

Description

This article describes the configuration adjustments required for Microsoft Azure Conditional Access to work correctly with SAML-authenticated SSL-VPN tunnels on FortiClient.
Scope

FortiClient, SSL-VPN, SAML, Microsoft Azure Conditional Access
Solution

Some customer environments will utilize Azure Conditional Access policies with Microsoft Intune compliance policies to control access to protected company resources. As part of this compliance process, devices are required to obtain Primary Refresh Tokens (PRTs) after authenticating to Microsoft Entra via SAML, and these PRTs are passed along by the end-user's web browser as they access these protected resources.

 

For more info on PRTs, refer to the following Microsoft documentation: https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

 

With that in mind, a problem can occur when users are attempting to access these Conditional Access resources while connected to the FortiClient SSL-VPN. More specifically, the issue occurs when the user authenticates with SAML using FortiClient's embedded web browser, as the PRT is 'trapped' within FortiClient's embedded browser and cannot be shared to the user's main web browser (e.g. Chrome, Firefox, Safari, etc.)

 

To solve this issue, it is necessary to modify the SSL-VPN tunnel configuration on FortiClient (or EMS for managed FortiClients) and enable 'Use External Browser as user-agent for saml user authentication'. This option redirects the SAML authentication process to the end-user's default web browser, which allows for the PRT to be received by the web browser for later usage when accessing protected resources.

 

Note that this option requires both the FortiGate and FortiClient to be running versions 7.0.1 or later:

 

The following screenshots have the location of the setting on FortiClient itself as well as the corresponding configuration section on EMS:

 

Forticlient.jpg

 

Generally speaking, SSL-VPN tunnel configs pushed from EMS to Managed FortiClients cannot be overwritten by the end-user (except for custom tunnels that the end-user has added themselves, if allowed). Instead, modify the SSL-VPN tunnel settings in the EMS profile and have EMS push the change to managed FortiClients:

 

Forti EMS.jpg

 

Related documents:

Microsoft: Create a device-based Conditional Access policy.

Microsoft: Use compliance policies to set rules for devices you manage with Intune.
4381
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.