In FortiGate SSL VPN Web Mode integrated with Active Directory Authentication, the user established the SSL VPN tunnel via Web browser, then the user uses the same Active Directory credentials to access the internal application, and no need to log in to the application again.

For SAML logon, the configuration will not work. The explanation is at the end of the document

Sample configuration:

config vpn ssl web portal

    edit "web-access"

        set tunnel-mode disable

        set web-mode enable

        set allow-user-access web rdp

        set limit-user-logins disable

        set display-bookmark enable

        set user-bookmark enable

        set user-group-bookmark enable

        config bookmark-group

            edit "gui-bookmarks"

                config bookmarks

                    edit "10.1.1.1"

                        set apptype web

                        set description ''

                        set url "https://10.1.1.1"

                        set sso auto

                        set sso-credential sslvpn-login

                        set sso-credential-sent-once disable

                    next

                end

            next

        end

      next

end

Note:

This is not supported in SSL VPN Tunnel mode.

Explanation for SSL VPN with SAML login for predefined Single Sign-On bookmark not working:

When using SSO with SAML, FortiGate does not receive user passwords because authentication takes place on the IdP. As a result, the 'encrypt-and-store-password enable' setting is inapplicable; FortiGate never obtains the password during SAML authentication; it remains exclusively with the IdP.

This limitation prevents SAML users from functioning with SSL VPN on FortiGate for predefined bookmarks with Single Sign-On.

Additionally, the SAML session cookie, which is specific to the IdP and critical for maintaining session functionality, is not accessible to the SSO bookmark in this implementation. The login request sent from the IdP cannot be reused for other services.