FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 246953


This article describes that SAML authentication is a very convenient way to authenticate and give permissions to users, but it can be challenging to unauthenticated a user on a workstation.

By default, the user 'A' will be authenticated during the amount of time granted by the IdP, and if the user 'A' logs out from the workstation and the user 'B' logs in, the FortiGate will still have a valid authentication for the workstation’s IP address with user 'A' authentication.

This can lead to a security issue, as user 'B' now has user 'A' permissions.








A Practical example:


For this demonstration, the workstation has been joined to Azure AD, but the principle is the same even if the workstation is not joined.


'Eusebio' has logged into the Workstation and opened the browser, was redirected to Azure for authentication, provided his credentials, and is authenticated:


eusebio login.png


'Eusebio' can browse the internet as per the configured policies with the SAML user group:


eusebio logs.png


eusebio logged in and browsing.png


Now 'Eusebio' will sign out from this workstation, and log in with 'Amalia'.

'Amalia' can browse the internet, but is not prompted for credentials, navigating as 'Eusébio' because the authentication on the workstation is still valid:


amalia navigating with eusebio.png


eusebio login 25 min.png


To overcome this issue, set a timeout for the SAML user group.

Here is the SAML configuration:


config user saml
    edit "AZ"
        set entity-id "https://yourinternalip:1003/saml/metadata"
        set single-sign-on-url "https:// yourinternalip:1003/saml/login"
        set single-logout-url "https:// yourinternalip:1003/saml/logout"
        set idp-entity-id ""
        set idp-single-sign-on-url ""
        set idp-single-logout-url ""
        set idp-cert "REMOTE_Cert_2"
        set user-name "username"
        set digest-method sha1


config user group
    edit "AZ-out"
        set authtimeout 1
        set member "AZ"


The command to should focus on is 'set authtimeout' under the user group. Here it is set to 1, meaning one minute.

After one minute of inactivity from a user, it will be unauthenticated.

It is necessary now, to sign out 'Amália' from the workstation, and wait at the Windows login screen for the authentication to clear.

This may take 2-3 minutes and not the one minute configured, because the workstation might still have some traffic running in the background.


Sign out:




It is possible to observe that even after the sign out there is still some background traffic running:


diagnose sniffer packet any 'host' 4 0 l
Using Original Sniffing Mode
2023-02-23 09:52:58.630726 port2 in -> psh 1002352673 ack 1841619
2023-02-23 09:52:58.641798 port2 out -> psh 1841619806 ack 100235
2023-02-23 09:52:58.776750 port2 in -> ack 1841619933

Only after this traffic stops, the one minute timeout we configured will start counting, so take into consideration that it might take up to 2 to 3 minutes for the workstation to RST or FIN/ACK all TCP connections.


The authentication will clear after the timeout period:


auth cleared.png


It is now possible to log in with 'Amália' again, and when 'Amalia' opens the browser, credentials will be prompted:


amalia prompted for credentials.png


After authentication:


amalia auth.png




amalia logs.png



To perform an active de-authentication from the host, access the Fortigate logout page (https://<FGTIP>:1000/portal?) and select the 'logout' button. This will clear the user authentication:



Related article:

Technical Tip: Wireless authentication using SAML credentials.