Failed on FortiClientVPN with SSO/SAML + MFA using O365 on Android

Netadmin-Japfa · ‎05-29-2023

Hi,

I advice by technical support based on the ticket id 7990064 to find the answer in here, because i am using Forticlient free version so didn't come with Technical support.

I was implementing FortiClientVPN (free) with SSO/SAML + MFA using O365 Azure on Windows/IOS/Android clients and connect to a Fortigate-501E running FortiOS version 7.0.9,build0444 (GA) and it works very well.

The issue on Android client happen since both Android13 OS and FortiClient VPN apps v7.0.xx released.

When Forticlient VPN apps on Android trying to connect it will automatically redirect chrome browser to O365 azure login page, the authentication and MFA approval process works fine, but get stuck on browser with displaying "This site can't be reached...127.0.0.1 refused to connect" and it never loads the forticlient VPN apps.

Troubleshooting taken, update chrome apps, changes default browser to firefox , downgrade forticlient vpn apps from v7.0.9 to v7.0.3 not solved the issue

Please advise and Thanks in advance!

markd-bit · ‎07-25-2023

Hi, did you ever get this resolved? We are also facing the same issue, only android devices. Running FortiOS 7.0.12 and FortiClient 7.2.0.0101 on Android. I thought it was something to do with SAML redirect.

set saml-redirect-port 8020

Netadmin-Japfa · ‎07-26-2023

Hi, we still did'nt get the resolved but since microsoft has enforcing number matching in microsoft authenticator push notification for MFA. Somehow the FortiClient on some android v13 device it's working, but the redirect page still has error "This site can't be reached...127.0.0.1 refused to connect". Just skip the error page and reload the FortiClient apps.

waverider · ‎09-20-2023

I have the same problem on Android with JumpCloud SAML2 authentication configured with two factor authentication.

It's disappointing to pay tens of thousands of euro for all that hardware for our multiple locations and get a downgrade in features compared to the free OpenVPN server. And get pointed to the paid VPN client.

Authentication works on iOS, but not Android 13.

Authentication is configured with JumpCloud SAML2 and 2FA. Works on desktop and on the same Android device from Chrome browser. But not from FortiClient VPN ver. 7.2.0.0101.

After I fill in the password I get to the 2FA screen.

2FA fails with the same error on both options:

(a) JumpCloud Android push app for 2FA

(b) manual input of 6 character TOTP

See settings and error attached.

dbhavsar · ‎09-20-2023

Hello @Netadmin-Japfa ,

Did it works when you disable the MFA? If yes, try disabling the hardware acceleration using following commands:
config system global
set sslvpn-kxp-hardware-acceleration disable
set sslvpn-cipher-hardware-acceleration disable
end

DNB

Netadmin-Japfa · ‎09-24-2023

Hi @dbhavsar ,

We following your instruction but didn't solved the issue, some brand with android version 13 (xiomi, Redmi, oppo, samsung S10 and other) still having the issue.

for example i am using galaxy ultra s22 the Forticlient VPN + Azure MFA connection works fine after received patch update but this error below still shown.

markd-bit · ‎09-25-2023

Hi, I had a ticket with Fortinet open about this it was suggested to do the following:

On the FortiGate SSL VPN settings, redirection to an external browser is disabled by setting the saml-redirect-port to 0, so it will disable the redirection to an external browser.

I've not had time to test this but will be doing so shortly.

set saml-redirect-port 0

Netadmin-Japfa · ‎09-25-2023

Hi @markd-bit ,

I've checked on my fortigate using FortiOS v7.0.12 in "config vpn ssl settings" there is no "set saml-redirect-port 0".

But I've tested 2 configurations :
- "set saml-redirect-port 8020" changes happen to ios client vpn cannot connected, on android13 client solved the error page in browser "This site can't be reached...127.0.0.1 refused to connect" (127.0.0.1:8020) but some android13 still cannot connect.
- "set saml-redirect-port 0" no changes happen,

Thanks anyway...

Scarlet_Spider · ‎10-31-2023

Hi,

The problem is that the Forticlient VPN App does not keep running in the background when focus another app, like the external browser or the google authenticathor (for 2FA purposes).
And so, 127.0.0.1:8020 (that is the port of the APP waiting for the return) does not exist anymore and then the error occours.
Even at the recents app, the Fortclient VPN disappears and is not possible to return to it.
Why not showing it at the recents app?
A simple solution for this is letting Forticlient VPN APP running as a service, so 127.0.0.1:8020 will always be there!

cbrizzell · ‎11-07-2023

Based on the information in this thread already, I was able to get it to work.

In the FortiClient VPN settings, click on the Hamburger menu, then Android Settings.
Under Advanced look for Display over other apps (or something similar) and click to enable/allow that.

Once that's set, the application will remain available while the authentication does it's thing and returns from the SSO provider.