Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

SAML external browser



Since FortiOS 7.0.1, bug 715100 is resolved and should allow the use of an external browser to perform SAML authentication instead of the FortiClient embedded login window.

The release note states :

Allow FortiClient to use a browser as an external user agent to perform SAML authentication for SSL VPN tunnel mode. In prior versions, SAML authentication must be performed within the FortiClient embedded login window. A new setting is added to configure the SAML redirection port upon successful SAML authentication: config vpn ssl settings set saml-redirect-port <port> end


Has anyone a clue on how setting an alternate SAML redirect port on the Fortigate side will instruct the FortiClient to open the default browser on the client ?

I tried to force another port instead of the default 8020 but FortiClient still uses the default embedded login window.


I'd like to use an external browser so it will know how to interact with a WebAuthn device.





Pretty sure this needs FCT 7.0.1 as a prerequisite and the relevant setting for the connection enabled. From my testing so far with FCT 7.0.1 and FGT 6.4.6, that combo will not work either.


FYI - EMS doesn't have this client setting in the UI from what I've found but you can add:




into the top level for the SSL VPN connection to enable it for that connection (needs the advanced view toggled to show the XML tab in the profile).

New Contributor II

Thanks for your feedback.

We are using the VPN-only version of FortiClient.

Not sure I can edit the XML by hand.

New Contributor II

@Adrian : it's working fine with the free version of FortiClient starting with 7.0.1

I was mislead as I upgraded FortiClient along with FortiOS 7.0.1 but FCT was still 7.0.0 back then.

Top Kudoed Authors