Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎07-17-2023 09:27 PM Edited on ‎07-17-2023 09:38 PM

Fortiauthenticator LDAP with third party MFA. SAML IDP timeout is 5 seconds

I have fortiauthenticator 7.2.1.

It is setup with with an ldap server and using SAML as an IDP.  When I go to the portal page to test my authentication from the moment I enter my username/password and press enter I only get 5 seconds to respond to my MFA prompt. Is there some way I can adjust this setting?

At least with fortigate I set remoteauthtimeout in the system global settings.

8a110a83-6b55-4f23-a9f6-c64f3d07a120.PNG

Labels:
1872
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎07-18-2023 02:11 AM

Hey aguerriero,

I'm not entirely sure if I understand your setup from your description, but it sounds a bit as if you have the following setup:
- an unspecified service provider

- FortiAuthenticator acting as IdP, with backend authentication to LDAP

- a third-party MFA provider involved somewhere

FortiAuthenticator times out an authentication attempt after five seconds, correct?

This is not about FortiGate timing out?

 

If my understanding is correct, and the issue is with FortiAuthenticator timing out, then it's important to know how the third-party MFA provider is involved in the setup; is there some kind of chained RADIUS authentication in the backend for 2FA, or does the LDAP server independently trigger a push notification in some way, or what exactly? Is FortiAuthenticator involved in the 2FA exchange, or does it simply wait for a reply from LDAP and trigger a timeout after five seconds?

 

If the case is that FortiAuthenticator simply waits for a reply from LDAP and times out after five seconds, there is a simple timer under Authentication > Remote Auth. Servers > General. If FortiAuthenticator is involved in the 2FA exchange in some way, then it should usually know to wait for the second factor to complete (default timeout for second-factor is 30 seconds I think?); it would help to know what kind of MFA solution you have and how it is involved in your setup :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

1838
0 Kudos
6 REPLIES 6
ndumaj
Staff
Staff

Created on ‎07-18-2023 12:08 AM

Hello,

I'm assuming that your FGT is 7.2.1, what is FAC software version.

Please review the following article:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-and-two-factor-expiry-timers...

BR

- Happy to help, hit like and accept the solution -
1848
0 Kudos
srajeswaran
Staff
Staff

Created on ‎07-18-2023 01:03 AM

Can you confim if Fortiauthenticator is acting as IDP here ?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
1844
0 Kudos
aguerriero
Contributor II
In response to srajeswaran

Created on ‎07-18-2023 09:43 AM

Yes the FortiAuth is acting as the IDP and the Fortigate is acting as the SP.

1824
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎07-18-2023 02:11 AM

Hey aguerriero,

I'm not entirely sure if I understand your setup from your description, but it sounds a bit as if you have the following setup:
- an unspecified service provider

- FortiAuthenticator acting as IdP, with backend authentication to LDAP

- a third-party MFA provider involved somewhere

FortiAuthenticator times out an authentication attempt after five seconds, correct?

This is not about FortiGate timing out?

 

If my understanding is correct, and the issue is with FortiAuthenticator timing out, then it's important to know how the third-party MFA provider is involved in the setup; is there some kind of chained RADIUS authentication in the backend for 2FA, or does the LDAP server independently trigger a push notification in some way, or what exactly? Is FortiAuthenticator involved in the 2FA exchange, or does it simply wait for a reply from LDAP and trigger a timeout after five seconds?

 

If the case is that FortiAuthenticator simply waits for a reply from LDAP and times out after five seconds, there is a simple timer under Authentication > Remote Auth. Servers > General. If FortiAuthenticator is involved in the 2FA exchange in some way, then it should usually know to wait for the second factor to complete (default timeout for second-factor is 30 seconds I think?); it would help to know what kind of MFA solution you have and how it is involved in your setup :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1839
0 Kudos
aguerriero
Contributor II
In response to Debbie_FTNT

Created on ‎07-18-2023 09:42 AM

This is the document I am using.

https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/259754

FGT is 7.2.5
EMS and forticlient are 7.2.1
Fortiauthenticator is 6.5.2.

Fortiauthenticator is the IDP,  Fortigate is the SP.

The fortiauthenticator has an LDAP connection to a DUO MFA proxy and the DUO proxy connects LDAP to an MS domain controller.

If I disable the DUO push request by setting a user in bypass mode LDAP works just fine and I can authenticate for my ZTNA access policies. If I enable the duo push I only have 5 seconds to open my DUO app and push the accept button. If I am fast enough it works just fine with the third party MFA.

From the first screen shot I am opening a browser to the FortiAuth IDP direct login page. This is the link that is configured in the ForiAuth IDP general page. Since it is a browser connection directly to the fortiauth it rules out a timeout setting on the fortigate and since that DUO proxy also works for other devices it is not a timeout on the DUO/AD connection.

 

246bbe7d-597a-4f41-8f28-6766ef1207af.PNG

1826
0 Kudos
aguerriero
Contributor II
In response to Debbie_FTNT

Created on ‎07-18-2023 09:48 AM

Thank you The LDAP server response timeout was what I needed.

1822
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.