Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mkuhn79
New Contributor

FortiClient & SSO with Windows Hello for Business

Hey guys

we are looking for a VPN solution for our Azure AD joined Notebooks. We have configured Hello for Business and login with Face-ID or PIN. Is the FortiClient able to connect the VPN with SAML and without user interaction (Usertunnel)?

 

We would have a Conditional Access Policy in AAD to make sure that only compliant devices and mfa are allowed to use SAML.

 

Thanks for your help on this.

 

Best regards

Marc

1 Solution
Markus_M
Staff
Staff

Hi Marc,

 

I don't think FortiClient knows about Windows Hello. SAML will additionally need a password to use, it won't be able to use whatever keystore Windows Hello stores its stuff against (nothing should be able to read that).

 

Best regards,

 

Markus

View solution in original post

4 REPLIES 4
Markus_M
Staff
Staff

Hi Marc,

 

I don't think FortiClient knows about Windows Hello. SAML will additionally need a password to use, it won't be able to use whatever keystore Windows Hello stores its stuff against (nothing should be able to read that).

 

Best regards,

 

Markus

mkuhn79
New Contributor

Hi Markus

we tested  also the Netmotion Mobility Client witch is able to accomplish this. Login with SAML to AAD with Hello for Business with zero User action requiered. So we were looking for that for the Forticlient.

 

But thanks for your help.

 

Best regards

Marc

skylarsmsith
New Contributor

Are you sure a VPN is the best solution? It seems to me that you need to consult with professionals who can advise you on more secure methods of logging into windows.

fnoel
New Contributor

Hello,

I prefer to use this already existing topic instead of opening a new one.

 

Much like @mkuhn79 we are setting up windows hello for business for all our users, we already use forticlient to connect via SSL VPN, but using LDAP connection (asking once again for the user password)

We now plan to make them use 2FA (via Windows Hello for Business mainly) to connect to the VPN. SAML configuration works with my test users, but i can only connect to my Azure account using password + 2FA (sms or autheticator). I don't understand why the Windows Hello for Business option is not even showed. I tried to use SAML for SSO on other apps, and it works just fine with Windows Hello for Business.

 

Is there something missing in Fortinet configuration i could have missed ?

 

Pardon my english, thanks in advance for any anwser

Regards,

Florian

Labels
Top Kudoed Authors