Created on ‎01-09-2025 03:44 PM Edited on ‎01-09-2025 03:47 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SAML Login Support for FortiSSLVPNclient
G'Day,
I've been using FortiSSLVPNclient for years now to facilitate my Remote Desktop Manager controlling my VPN for me via CLI to ensure I'm connected to the correct VPN for the desktop I'm connecting to.
The external vendor in charge of the VPNs is switching to use SAML logins for the VPNs though, and while I can configure and test that method in the GUI version of FortiClient successfully, I haven't found a way to use it with FortiSSLVPNclient.
Is it possible to trigger a SAML based login via FortiSSLVPNclient?
Or if not, is there another tool/exe that can be invoked via CLI that can use SAML to establish a VPN connection?
I'm using FortiSSLVPNclient 7.2.1.0779, but it's bafflingly difficult to obtain the tool exes so I'm hoping the problem is that there's a flag I'm missing and not that I need to update/replace it.
Also as a less critical but still relevant aside, is it possible to configure the SAML popup window on the VPN side to behave in a password-manager-compatible way, and:
a) Not change every second (eg: countdown) so the manager knows it's the same one as a second ago and can keep typing
b) Have a consistent title and not randomly switch to something else so the manager can recognise it as a FortiClient SAML popup
c) Have the window title be specific to the VPN connection so the manager can recognise which VPN account it should use
Or is this behaviour baked into the client?
(I ask to determine whether I can request these changes of my VPN vendor)
I appreciate your consideration.
- Labels:
-
FortiClient
-
SAML
-
SSL-VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sam,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey sam_shannon_dialog,
regarding the first question (sslvpnclient.exe and SAML), I'm not sure if it will ever support SAML, but at present it doesn't. I will see if I can find some internal documentation on plans and/or alternatives, but I'm not very hopeful.
Regarding your second question, proper FortiClient and SAML:
- SAML is a browser-based authentication mechanism
- FortiClient doesn't choose anything when presenting the SAML login page
-> it launches an internal or external browser window, and that browser window displays the SAML login page of the SAML login provider
-> FortiClient has no bearing on the layout or title of this window
- regarding the countdown, this is baked into FortiClient and cannot be disabled to my knowledge
- you could set FortiClient to launch an external browser window instead of using its internal one, that could maybe help
Cheers,
Debbie
Created on ‎01-14-2025 06:57 PM Edited on ‎01-14-2025 07:06 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie,
Thanks for the response!
I look forward to finding out whether SAML-Auth'd VPN can be used via CLI with a new or existing tool.
Even having the main FortiClient exe respond to "connect to saved connection via name" and "disconnect current connection" CLI arguments, like how the context menu for the system tray works, would be great.
RE:
- FortiClient doesn't choose anything when presenting the SAML login page
-> it launches an internal or external browser window, and that browser window displays the SAML login page of the SAML login provider
-> FortiClient has no bearing on the layout or title of this window
- regarding the countdown, this is baked into FortiClient and cannot be disabled to my knowledge
If FortiClient doesn't choose anything and has no bearing on the title of the SAML window, how can it display a countdown in the window title? Surely if it displays a countdown it can display connection details like the name or gateway?
RE:
- you could set FortiClient to launch an external browser window instead of using its internal one, that could maybe help
I don't see an option to have FortiClient launch an external browser window, but it might be helpful to try it, where could I find that setting?
Never mind, turns out I'm still back on FortiClient v6
Cheers,
Sam.
Created on ‎01-27-2025 07:37 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie,
Thanks for suggesting the external browser feature. I have had my FC install updated to the latest version and tested with it enabled.
This works much better and has resolved all of the issues I had with the Internal Browser, though it has raised its own issues which I have posted separately (https://community.fortinet.com/t5/Support-Forum/FortiClient-SAML-External-Browser-Behaviour-Feedback...).
I still look forward to hearing your response around triggering connect/disconnect for SAML-configured connections via the commandline.
Cheers.
