Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Configure forticlient SAML to utilize Primary Refresh Token

Hey Guys,


We are using forticlient with SAML connected to Azure Ad. 

SAML login works ok, but further Conditional Access we try to assign are not working as expected,


Azure support sure the issue is related to Forticlient app:


"after a thorough investigation we believe that the SAML application is not utilizing the Primary Refresh Token. So we wanted to ask if there is a way to reach out to the application side's support and check if there is a way for the PRT to be utilized via some sort of re-configuration"



Thanks for posting your query.

Can you please elaborate are you referring the access here to the users based on the groups or any other attributes.

I means like only the specific users should get the specific access once successfully authenticated via SAML.


Kindly share the SAML configuration from the firewall and make sure the attributes you have configured in the AZURE IDP is same in the FGT as well

Also confirm if you are giving the access based on the group object id.


Refer the below document FYR if it helps

New Contributor



SAML configured and working as expected based on allowed groups.


The issue is after connection is established  - Azure app doesn't recognize the laptop as Azure complaint device.

as Azure Support claims - they say the Forticlient app doesn't utilized the  Primary Refresh Token.



Top Kudoed Authors