Following latest upgrade of Forticlient VPN X64 for Windows, Saml authentication are not stored anymore.
I began to observe this behavior on version 7.0.8 (was not the case before) and a nice post was explaining that ticking "do not modify internal browser cookies" will keep the authentication enable and remember the username.
We are using Okta.
But unfortunately, this does not work anymore on Forticlient 7.2.2.0864. even if the option is ticked.
I'm looking forward for a solution so the remember me feature will work. I just wonder why it keeps breaking at each update and this time no solution proposed.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey itservices,
this should already be fixed in 7.2.2, but as I understand it, the setting (Remember password) in FortiClient needs to be pushed via EMS or via manual edit of the XML config file.
I have NOT been able to test this, but some digging turned up this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\<tunnel>]
"show_remember_password"=dword:00000001
This make an option 'Remember Password' visible (the same as Fatih referred to), and enabling it should save both username and password for SAML authentication.
Thank you but I don't believe that you understood the issue or what we are trying to achieve here.
Since version 7.2.2 and version 7.0.10 Forticlient VPN (without EMS) does not store anymore saml cache and username.
In previous versions, 7.0.8 or 7.0.9, you were able to initiate a saml connection with Okta or any other provider. when you connect to your connection, a pop up would appear asking you to enter your username and password and offer you the possibility to remember the username (Not the password). when you hit the remember box and apply by registry the settings "do to modify internal browser settings" you can connect to vpn correctly. if you disconnect and try reconnect within 15mn, the vpn will keep the saml settings and will not ask anymore for username/password and mfa.
After 15mn, when you attempt to reconnect with Okta, a pop up will come with your previous username already filled and you simply have to enter the password to get your MFA and connection successful.
Since 7.0.10 and 7.2.2 version, the remember me does not work anymore at all. it won't store the saml connection within the 15mn timerange and it will never keep the username. basically the remember me option is simply not working in these new versions. i'm pretty sure many other users are not using EMS and are facing the same issue but it seems Fortinet refuses to acknowledge the issue.
Created on 12-12-2023 03:14 AM Edited on 12-12-2023 03:31 AM
Hey itservices,
to quote from a developer (this is from Bug ID 947313, "SAML username is not saved after upgrade to 7.0.9"):
>>Could you please confirm in forticlient version 7.0.10 & 7.2.2 there is no way to save only username for SAML authentication. With 'save password' option we can save both username & credentials.
Hi [...],
Yes, that is the current implementation.
The 'save password' option, as Fatih mentioned above, can be made visible via EMS (and probably via the registry key I found), and then needs to be toggled on in the VPN settings for FortiClient to store the credentials again. Default behavior was changed: in earlier firmware versions, the setting was enabled by default, but this is no longer the case, to my understanding.
EDIT:
- the FortiClient has two remember options: 'Remember Username' and 'Remember Password'
-> 'Remember Username' worked for SAML incorrectly; it should not have worked for SAML authentication
-> 'Remember Password' should store username AND password for SAML connections
I hope this clarifies my earlier comment!
So we can't save the username at all anymore? Saving the password is an absolute no go for us. It just does not make sense to do that. Since SAML uses their office 365 usernames its quite a pain to have users need to type this in every single time they want to connect, especially if they have any wifi issues and get disconnected.
This needs to be changed back to the way it was in 7.0.9. Otherwise it's going to be quite the headache to explain this to users. The decision may end up being to stick with 7.0.9, which is not a good idea either.
Is the only solution here to use an external browser for authentication? What a pain.
You are at least having better luck than us. We are also an Okta shop and use it for idp for Forticlient vpn. We can not get the newer versions to work. They pass Okta but the firewall vpn won't connect.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.