Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Icebun
New Contributor III

Created on ‎10-26-2023 03:59 AM Edited on ‎02-26-2024 06:43 AM By Community Manager

Forticlient - SAML Authentication - Pick an account option missing

I am using Fortclient 7.0.8.427 using Azure SAML for sign-in.

 

All works except for some users, when authenicating, they get the option to click on thier email address from the In Browser window that appears.

 

For others, the have to always enter in their email address.

 

Has anyone seen this?

 

Checked Credential Manager and cleared out the cache in MS Egde the default browser but no success.

 

Has anyone seen this?

Enter email.pngPick an account.png

 

4140
0 Kudos
1 Solution
mle2802
Staff
Staff
In response to Icebun

Created on ‎10-26-2023 07:20 AM

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

View solution in original post

4080
0 Kudos
9 REPLIES 9
mle2802
Staff
Staff

Created on ‎10-26-2023 06:07 AM

Hi @Icebun,

Can you try to use external browser for authentication. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/364443/using-a-browser-as-an...

Regards,
Minh

4109
Icebun
New Contributor III
In response to mle2802

Created on ‎10-26-2023 06:33 AM

Hi @Minh 

Thanks for the response.

I did see the option to use a browser as an external agent within EMS itself, which I presume stands a better chance of caching the email address part of the credentials. Is that right?

Looking at the information sent, this looks like it will need changes at the Fortigate FW as well?

Is that true? If so, how can I test this as we have a large number of VPN users and do not want to change the behaviour if I am not successful (as some users works fine and there email address caches ok).

Is there no other way?

4098
0 Kudos
mle2802
Staff
Staff
In response to Icebun

Created on ‎10-26-2023 06:41 AM

Hi @Icebun,

This option is configured on Client not on FortiGate. You can download VPN only version on test machine and configure VPN instead of pushing using EMS. Also, in FortiClient setting, there is an option call "do not modify internal browser cookies", can you try that before using external browser?

Regards,
Minh

4094
Icebun
New Contributor III
In response to Icebun

Created on ‎10-26-2023 06:51 AM

Thanks @Minh 

On my EMS managed Forticlient, I am unable to place a check box on the option "Do not modify internal browser cookies".

Are there settings within EMS Server Manager (or even the Registry) that controls this option please? I could not seem to find it I am afraid.

4091
0 Kudos
mle2802
Staff
Staff
In response to Icebun

Created on ‎10-26-2023 07:20 AM

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

4081
0 Kudos
Icebun
New Contributor III
In response to mle2802

Created on ‎10-26-2023 07:38 AM

@mle2802 sorry to be a pain.

Can I presume it will be in the XML code for the VPN profile as follows by way of example:

 

<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<no_dns_registration>0</no_dns_registration>

<dont_modify_cookies>1</dont_modify_cookies>
</options>

4075
0 Kudos
mle2802
Staff
Staff
In response to Icebun

Created on ‎10-26-2023 07:57 AM

that is correct

4069
Icebun
New Contributor III
In response to mle2802

Created on ‎10-26-2023 08:42 AM

Hi @mle2802 this seems to have worked on my test environment.

One more thing. I do not suppose you know at what point the cookie will eventually expire causing the user to re-authenticate with their credentials?

4056
0 Kudos
Debbie_FTNT
Staff
Staff
In response to Icebun

Created on ‎10-27-2023 08:16 AM

Hey Icebun - this depends entirely on Azure and your IdP settings there, I believe.

You might see the information in the metadata, as outlined here: https://learn.microsoft.com/en-us/answers/questions/1103098/azure-ad-b2c-custom-policy-saml-token-li...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
4006
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.