Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Icebun
New Contributor III

Forticlient - SAML Authentication - Pick an account option missing

I am using Fortclient 7.0.8.427 using Azure SAML for sign-in.

 

All works except for some users, when authenicating, they get the option to click on thier email address from the In Browser window that appears.

 

For others, the have to always enter in their email address.

 

Has anyone seen this?

 

Checked Credential Manager and cleared out the cache in MS Egde the default browser but no success.

 

Has anyone seen this?

Enter email.pngPick an account.png

 

1 Solution
mle2802

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

View solution in original post

9 REPLIES 9
mle2802
Staff
Staff

Hi @Icebun,

Can you try to use external browser for authentication. Please refer to this document for more information "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/364443/using-a-browser-as-an...

Regards,
Minh

Icebun
New Contributor III

Hi @Minh 

Thanks for the response.

I did see the option to use a browser as an external agent within EMS itself, which I presume stands a better chance of caching the email address part of the credentials. Is that right?

Looking at the information sent, this looks like it will need changes at the Fortigate FW as well?

Is that true? If so, how can I test this as we have a large number of VPN users and do not want to change the behaviour if I am not successful (as some users works fine and there email address caches ok).

Is there no other way?

mle2802

Hi @Icebun,

This option is configured on Client not on FortiGate. You can download VPN only version on test machine and configure VPN instead of pushing using EMS. Also, in FortiClient setting, there is an option call "do not modify internal browser cookies", can you try that before using external browser?

Regards,
Minh

Icebun
New Contributor III

Thanks @Minh 

On my EMS managed Forticlient, I am unable to place a check box on the option "Do not modify internal browser cookies".

Are there settings within EMS Server Manager (or even the Registry) that controls this option please? I could not seem to find it I am afraid.

mle2802

Hi @Icebun,
You can modify this option on EMS VPN profile "<dont_modify_cookies>1</dont_modify_cookies>". However, this will push for all users. Try to test it with test machine and free FortiClient version before pushing from EMS server.

Icebun
New Contributor III

@mle2802 sorry to be a pain.

Can I presume it will be in the XML code for the VPN profile as follows by way of example:

 

<?xml version="1.0" ?>
<forticlient_configuration>
<vpn>
<enabled>1</enabled>
<sslvpn>
<options>
<enabled>1</enabled>
<dnscache_service_control>2</dnscache_service_control>
<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<preferred_dtls_tunnel>0</preferred_dtls_tunnel>
<no_dns_registration>0</no_dns_registration>

<dont_modify_cookies>1</dont_modify_cookies>
</options>

mle2802

that is correct

Icebun
New Contributor III

Hi @mle2802 this seems to have worked on my test environment.

One more thing. I do not suppose you know at what point the cookie will eventually expire causing the user to re-authenticate with their credentials?

Debbie_FTNT

Hey Icebun - this depends entirely on Azure and your IdP settings there, I believe.

You might see the information in the metadata, as outlined here: https://learn.microsoft.com/en-us/answers/questions/1103098/azure-ad-b2c-custom-policy-saml-token-li...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors