Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SAML Azure configuration for FortiClient authentication

Using FortiClient 7.0.8

Fortinet OS 7.2.7


Our company using FortiClient for client VPN on Windows devices. The current configuration offloads VPN authentication to internal Active Directory Domain Controllers. Our users enter their domain username and password into FortiClient, credentials are passed to Fortinet firewall; firewall then authenticates credentials against DCs and tunnel connection is established.

The client devices are hybrid AD joined.

1) Is it possible to modify the configuration so that FortiClient authenticates user credentials against Azure AD using SAML instead.

2.a) Does FortiClient provide an ‘embedded browser redirect’ UX in this proposed configuration? – or does it ‘break out’ into one of the main OS browsers (Edge, Chrome) to facilitate the sign in?

2.b) If the UX is ‘embedded browser redirect’ rather than Edge – should we expect to see issues and complications with Conditional Access ‘Require AD hybrid joined’ and ‘Require device marked as compliant’ grants?  We have seen these issues arise where other client applications use, for example, WebView2 or similar under-the-hood.

3) Under the existing configuration the ‘Enable VPN before Logon’ option is enabled. This is sometimes used for troubleshooting. The credentials for establishing the VPN can be entered at the Windows login screen (so, VPN login is directly integrated to the Windows desktop interactive login). Will the new proposed configuration hinder (or require disabling) this functionality?


Community Manager
Community Manager


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.

Hi @regular_fortiuser_uk,


1. You need to configure SAML on FortiGate first. Please refer to

 2. FortiClient has embedded browser and there is an option to use external browser for SAML authentication:


3. Not sure if ‘Enable VPN before Logon’ supports SAML authentication. I suggested opening a ticket to check with the FortiClient team. 



Top Kudoed Authors