Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Icebun
New Contributor III

Created on ‎04-22-2022 08:18 AM

SSL VPN Azure SAML Authentication behaviour

Environment

Fortigate 6.2.4

EMS 6.2.4

 

Forticlient 6.2.4

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then  MFA prompt.

The prompt reoccurs every time the VPN needs to be established.

Is it correct that you need to run Fortigate/EMS on at least V7.0 to get the user-agent option to work so the following gets picked up (rather having to keep typing in the email address?

Icebun_0-1650640372680.png

 

 

Forticlient 7.0.2 (Free version)

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then MFA prompt.

Beyond that point the user is not prompted for their credentials when reconnecting the VPN.

Does anyone know how long the credentials are cached and where they are actually stored in case you need to clear them down?

 

 

Labels:
3450
0 Kudos
5 REPLIES 5
Anonymous
Not applicable

Created on ‎04-24-2022 07:02 PM

Hello Icebun, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

 Fortinet Community Team 

3396
0 Kudos
jie
Staff
Staff

Created on ‎04-24-2022 11:03 PM

Hi Icebun, 

 

This feature has been improved from Forticlient version 6.4, you can try with 6.4.6 and see the different behaviour. 

 

 

JieZ
3389
seshuganesh
Staff
Staff

Created on ‎04-25-2022 12:01 AM

Hi Team,

 

we need to check in azure settings.

This is the purpose of using SAML SSO. So the first time you connect and do the authentication, a session will be established in idP (Azure) and accordingly the session ID will be saved in the cookie of FortiClient. As long as the cookie is valid (not sure about Azure settings, but could be around 8 hours), Azure will issue the assertion without triggering the authentication.
In older versions of FortiClient, support of cookie for FortiClient had not been fully implemented and as a result, every time the users wanted to connect to VPN, they had to put in the credentials again.
The only way you can force re-authentication for each connection attempt is to remove the cookie of FortiClient manually (i believe you need to remove from temp folder in windows)

 

 

3381
Icebun
New Contributor III
In response to seshuganesh

Created on ‎04-25-2022 01:10 AM

Thanks for all the responses, I am pursuing an option to upgrade to 7.x EMS so I think this might help resolve some of the issues.

 

 

3373
0 Kudos
Icebun
New Contributor III

Created on ‎06-03-2022 12:32 PM

I have now upgraded to EMS 7.0.4 and can now deploy EMS Forticlient 7.0.5.

 

When signing in with SAML, I can see that I do not need sign in again with my O365 credentials whilst the cached cookie maintains the credentials details.

 

Does anyone know if it is possible to pre-capture the email address so the user only needs to enter in the password?

 

 

3051
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.