Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

SAML session timeout

Hello team.

I am testing using FAC as SAML idb, currently my test is running on administrator access to Fortigate.

 

The "Login session timeout" setting under SAML idb - General : is kept on the default 480 mins.

 

However, each time I hit the Fortigate IP and then being redirected to FAC login, I am presented the login screen to enter my credentials.

 

Does the admin session time out on Fortigate affects the SAML request being send to FAC and enforcing a different time out other than the "login session timeout" configured on FAC?

Otherwise how to tweak this behavior so that the user can access the resource for longer time without being prompted to login every 5 mins.

 

Thank you.

Ahmed

1 REPLY 1
ebilcari
Staff
Staff

As explained here: https://docs.fortinet.com/document/fortiauthenticator/6.5.1/administration-guide/817031/saml-idp

Two possibilities:

  • The user's browser already has valid SAML assertions, so it sends them to the SPs web server (FGT). The web server (FGT) uses them to grant or deny access to the service. SAML authentication stops here.
  • The user's browser doesn't have valid SAML assertions, so the SPs web server (FGT) redirects the browser to the SAML IdP (FAC).

If you change browser or log off the user this assertions are destroyed. As long as you get redirected to FAC it means that the browser doesn't have valid assertions anymore.

 

Maybe admin session timeout of the FGT is treated as a log off for SAML. In my lab I have this profile applied:

edit "prof_admin"
set admintimeout-override disable

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Labels
Top Kudoed Authors