Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
ihaidar
Staff
Staff

Created on ‎09-23-2025 06:28 AM

Article Id 412190

Troubleshooting Tip: FortiSASE endpoints cannot connect to VPN using SAML

Description This article describes an issue where a FortiClient VPN using SAML authentication fails to connect when the lockdown grace period for endpoints is set to zero.
In this case, FortiClient remains stuck on 'connecting'.
Scope FortiSASE, FortiGate.
Solution

SAML logs show successful authentication followed by an immediate logout.

 

The lockdown grace period for endpoints was set to zero seconds. This caused FortiClient to fail during the transition phase, as the endpoint did not have sufficient time to complete SAML authentication.

 

Fix:


Update the lockdown grace period to 120 seconds. This value provides enough time for the authentication process to complete successfully. After applying this configuration, VPN connections using SAML authentication were established successfully. As shown in the below screenshot, Go to Endpoint profile -> Select the Profile name -> Select 'Connection' and change the value of the Grace period from zero to 120 Seconds.

 

KB2.png
63
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.