Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AntoineCOSTA
New Contributor

Created on ‎04-04-2023 02:18 AM

FortiClient 7.0.8.0427 SAML authentication not Cached

Hi, with the new Forticlient version SAML authentication is no longer cached.

Before the update, we were in 7.0.7.0345 and after the first SAML authentication, the data was cached and the user did not have to reauthenticate several times

during the day.

We erase cookies when the machine is shut down.

 

Is it possible to re-enable this feature?

Or is it possible to download a complete last version (7.0.7.0345)?

Labels:
7641
15 REPLIES 15
maxs
New Contributor II

Created on ‎04-06-2023 03:23 AM

It was a bug in 707 that was fixed in 708. If you want caching. then switch to using external browser for SAML auth.

5587
0 Kudos
pfournier
New Contributor II

Created on ‎05-31-2023 08:06 AM

So is this not being fixed? We had been using this for the last few years with zero issues, but now its a pain unless external browser is enabled. 

 

The SSO popup gives you an option to keep me signed in, but it doesn't actually work. 

5052
0 Kudos
mhberglund
New Contributor II

Created on ‎06-29-2023 08:29 AM

We are also experiencing the same issue with FortiClient VPN 7.0.8.0427

The "Stay Signed in" feature offered by Azure Active Directory authentication is ignored and users have to reauthenticate each time they login to FortiClient VPN.

Still working with version 7.0.7.0345.

 

We have not got the "Use external browser as user-agent for saml user authentication" to work with either 7.0.7.0345 or 7.0.8.0427.

 

I have also contacted Microsoft support as I initially thought it was an issue with Azure Active Directory authentication. They are analysing the HTTPS traffic to also assist in the troubleshooting steps. Will report back if the issue can be resolved.

Mikael Berglund, 76BITS
Mikael Berglund, 76BITS
4693
0 Kudos
pminarik
Staff
Staff

Created on ‎06-29-2023 11:21 AM

The behaviour has changed over time.

 

6.4 branch: cookie(s) never cached

7.0.0~7.0.7: cookie(s) always cached

This would never keep everyone happy, so starting from 7.0.8 the behaviour was changed to follow the state of the "save password" option. If it is checked, the SAML IdP cookie is cached and reused during the next login (assuming that it is still valid by that time).

 

https://docs.fortinet.com/document/forticlient/7.0.8/windows-release-notes/22791/resolved-issues

744544 - "FortiClient (Windows) always saves SAML credentials."

The title/description doesn't explicitly call out the new behaviour, so you will have to trust me on that. If you're observing behaviour that is different, you should report it to TAC as a (most likely) bug.

[ corrections always welcome ]
4673
mhberglund
New Contributor II
In response to pminarik

Created on ‎06-30-2023 06:23 AM

Hi @pminarik 

Thank you for the reply and clarification of the default behaviour of the different versions of FortiClient VPN.

When you mentioned "save password" option, did you mean the 3rd party Single Sign On service offering an option to save the password? I do not see this as an option explicitly in the FortiClient VPN app.

Mikael Berglund, 76BITS
Mikael Berglund, 76BITS
4637
0 Kudos
pminarik
Staff
Staff
In response to mhberglund

Created on ‎06-30-2023 06:59 AM

I meant the "Save Password" checkbox in FortiClient, as shown for example here: https://docs.fortinet.com/document/forticlient/7.2.1/administration-guide/437773/save-password-auto-...

 

However, now that I think about it, I suspect that this may be one of the features that are only available in EMS-managed clients, not in the free version.

 

If you're using the "external browser" option to handle SAML through your regular browser, then the caching of credentials/cookies would be fully in control of the browser itself.

[ corrections always welcome ]
4627
mhberglund
New Contributor II
In response to pminarik

Created on ‎06-30-2023 11:29 PM

I have done some testing on "Use external browser as user-agent for saml user authentication".

The credentials do get cached but the FortiClient fails to connect, error message "Credential or SSLVPN configuration is wrong. (-7200)"

 

20230701_FortiClient.png

Mikael Berglund, 76BITS
Mikael Berglund, 76BITS
4613
0 Kudos
mhberglund
New Contributor II
In response to mhberglund

Created on ‎07-06-2023 01:34 AM

@pminarik  would you know where to start troubleshooting the 7200 error message?

Mikael Berglund, 76BITS
Mikael Berglund, 76BITS
4482
0 Kudos
pminarik
Staff
Staff
In response to mhberglund

Created on ‎07-17-2023 12:51 AM

sslvpn debug is always a good place to start.

 

diag debug console timestamp enable

diag debug app saml -1
diag debug app sslvpn -1

diag debug enable

=>reproduce issue now

diag debug disable

diag debug reset

[ corrections always welcome ]
4277
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.