Following latest upgrade of Forticlient VPN X64 for Windows, Saml authentication are not stored anymore.
I began to observe this behavior on version 7.0.8 (was not the case before) and a nice post was explaining that ticking "do not modify internal browser cookies" will keep the authentication enable and remember the username.
We are using Okta.
But unfortunately, this does not work anymore on Forticlient 7.2.2.0864. even if the option is ticked.
I'm looking forward for a solution so the remember me feature will work. I just wonder why it keeps breaking at each update and this time no solution proposed.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello itservices3,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Thank you, can wait for a new version if needed. I've packaged the latest 7.0.9 version that does not have this issue for now but would have been nice to be able to deploy the 7.2.2 with latest security fixes.
Hello,
FortiClient's SSL VPN behavior was changed starting with version 7.0.8, it will no longer cache SAML credentials.
New behavior, when 'Remember Password' is unchecked, cookies associated with SAML are deleted.
Make sure that the 'Show "Remember Password" Option' is available and enabled under Advanced Settings of the VPN tunnel.
Docs.
=====================================================================
Home FortiClient 7.0.8 (Windows) Release Notes - Resolved issues
https://docs.fortinet.com/document/forticlient/7.0.8/windows-release-notes/22791/resolved-issues
FortiClient 7.0.9 EMS Administration Guide - SSL VPN
https://docs.fortinet.com/document/forticlient/7.0.9/ems-administration-guide/29925/ssl-vpn
FortiClient 7.0.9 Administration Guide - SAML support for SSL VPN
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/402514/saml-support-for-ss...
Additionally;
Tag <dont_modify_cookies> means "Do Not Modify Internal Browser Cookies".
By default, the tag value is 0, it represents as un-selected on the FCT settings page. and it only applies to using an internal browser when saml-login. So it should be;
<system>
<ui>
...
<dont_modify_cookies>1</dont_modify_cookies>
</ui>
</system>
For more details, please check:
Thanks & Regards
Created on 10-27-2023 03:18 AM Edited on 10-27-2023 03:20 AM
Hello,
Yes i did understand this, and I do not face the issue on version 7.0.8 or 7.0.9 after ticking "do not modify internal browser cookies".
the login name is kept of I hit remember credentials for next connection which is good.
It will also log me in directly within 15mn windows frame without asking me for MFA.
However on version 7.2.2, despite ticking the same option and remembering the credentials, no username are kept once I'm disconnected and attempt to reconnect.
this only occurs with version 7.2.2 so I presume an issue with with particular version.
Thanks
PS : Please note that we do not have the option to remember the password as we do not use EMS. However we do need to store and remember the username to avoid having to retype it as every connection. which works perfectly fine on 7.0.8/7.0.9 and not anymore on 7.2.2
Hi,
I also noticed the same behaviour for our system. We do not encountered this before and only for 7.2.2 version.
Same issue here, still unresolved.
Hello,
Please test the issue with the latest build FortiClient 7.0.10. The behavior is changed with 7.0.10.
Besides,
Please ensure the following items 1 and 2 have the correct configuration.
1. Save-password should be enabled in the FortiGate SSLVPN web portal. Please take full access for example as below:
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set limit-user-logins enable
set auto-connect enable
set keep-alive enable
set save-password enable
end
In the meantime, please also make sure
2. Go to EMS -> Remote Access, choose the tunnel, edit, Advanced Settings -> Show "Remember Password" Option -> ON.
If the switch is enabled, then FCT GUI should display a save-password checkbox for the tunnel, otherwise it's disabled.
Thanks & Regards
Fatih Seyligli
Created on 12-12-2023 12:13 AM Edited on 12-12-2023 12:31 AM
Sadly, this issue also occurs with the new 7.0.10 Build 0538 version.
sso connection is not cached anymore and username does not remain. it has to be re-entered at each new connection which is extremely painful.
the option "do not modify internal browser cookies" is already ticked but that does not change anything. (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_UI)dont_modify_cookies=1
We are not using EMS, but simply the vpn client via SSO using OKTA. The issue did not occurr with version 7.0.9 Build 0493 (this is the latest version you can use to keep your username and sso cache authentication).
will this be sorted in the future ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.