Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiGate SSL VPN with Azure AD SAML/SSO MFA configuration


i currently set up a test group for SAML login via Azure AD over SSL VPN.

So the problem is, when i use "Use external browser for login" i am immediatly connecting to the tunnel without any further authentication. I guess thats because my browser is remembering my microsoft session almost forever. And when i use the default setup (login window in FortiClient) it is always asking for username, password and MFA.

The question is: How can i configure MFA login in the SSL VPN application only asking for Authenticator confirmation oder any other 2nd factor without asking for username and password because username and password is already confirmed with the windows login on the endpoint.

I also tried several conditional access configurations but nothing seems to fit to really improve users quality of life while keeping security on a high level.

Any suggestions here? Whats the way to go?


Hi @yunnun


I don't think it is possible to bypass the first factor authentication as the FortiClient will redirect the user to SAML authentication URL once users try to connect. 




Hi there,

I believe that SAML is not supported as of now for Window before logon feature so there is no way to by pass the username and password part.

For the caching issue, please refer to this document for more detail "