Forticlient - SAML Authentication - Pick an account option missing

Icebun · ‎10-26-2023

I am using Fortclient 7.0.8.427 using Azure SAML for sign-in.

All works except for some users, when authenicating, they get the option to click on thier email address from the In Browser window that appears.

For others, the have to always enter in their email address.

Has anyone seen this?

Checked Credential Manager and cleared out the cache in MS Egde the default browser but no success.

Has anyone seen this?

mle2802 · ‎10-26-2023

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

View solution in original post

mle2802 · ‎10-26-2023

Hi @Icebun,

Can you try to use external browser for authentication. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/364443/using-a-browser-as-an...

Regards,
Minh

Icebun · ‎10-26-2023

Hi @Minh

Thanks for the response.

I did see the option to use a browser as an external agent within EMS itself, which I presume stands a better chance of caching the email address part of the credentials. Is that right?

Looking at the information sent, this looks like it will need changes at the Fortigate FW as well?

Is that true? If so, how can I test this as we have a large number of VPN users and do not want to change the behaviour if I am not successful (as some users works fine and there email address caches ok).

Is there no other way?

mle2802 · ‎10-26-2023

Hi @Icebun,

This option is configured on Client not on FortiGate. You can download VPN only version on test machine and configure VPN instead of pushing using EMS. Also, in FortiClient setting, there is an option call "do not modify internal browser cookies", can you try that before using external browser?

Regards,
Minh

Icebun · ‎10-26-2023

Thanks @Minh

On my EMS managed Forticlient, I am unable to place a check box on the option "Do not modify internal browser cookies".

Are there settings within EMS Server Manager (or even the Registry) that controls this option please? I could not seem to find it I am afraid.

mle2802 · ‎10-26-2023

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

Icebun · ‎10-26-2023

@mle2802 sorry to be a pain.

Can I presume it will be in the XML code for the VPN profile as follows by way of example:

<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<no_dns_registration>0</no_dns_registration>

<dont_modify_cookies>1</dont_modify_cookies>
</options>

mle2802 · ‎10-26-2023

that is correct

Icebun · ‎10-26-2023

Hi @mle2802 this seems to have worked on my test environment.

One more thing. I do not suppose you know at what point the cookie will eventually expire causing the user to re-authenticate with their credentials?

Debbie_FTNT · ‎10-27-2023

Hey Icebun - this depends entirely on Azure and your IdP settings there, I believe.

You might see the information in the metadata, as outlined here: https://learn.microsoft.com/en-us/answers/questions/1103098/azure-ad-b2c-custom-policy-saml-token-li...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++