Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Icebun
New Contributor III

SSL VPN Azure SAML Authentication behaviour

Environment

Fortigate 6.2.4

EMS 6.2.4

 

Forticlient 6.2.4

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then  MFA prompt.

The prompt reoccurs every time the VPN needs to be established.

Is it correct that you need to run Fortigate/EMS on at least V7.0 to get the user-agent option to work so the following gets picked up (rather having to keep typing in the email address?

Icebun_0-1650640372680.png

 

 

Forticlient 7.0.2 (Free version)

When signing in with SAML, user sees O365 dialog for email address, followed by Password and then MFA prompt.

Beyond that point the user is not prompted for their credentials when reconnecting the VPN.

Does anyone know how long the credentials are cached and where they are actually stored in case you need to clear them down?

 

 

5 REPLIES 5
Anonymous
Not applicable

Hello Icebun, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

 Fortinet Community Team 

jie
Staff
Staff

Hi Icebun, 

 

This feature has been improved from Forticlient version 6.4, you can try with 6.4.6 and see the different behaviour. 

 

 

JieZ
seshuganesh
Staff
Staff

Hi Team,

 

we need to check in azure settings.

This is the purpose of using SAML SSO. So the first time you connect and do the authentication, a session will be established in idP (Azure) and accordingly the session ID will be saved in the cookie of FortiClient. As long as the cookie is valid (not sure about Azure settings, but could be around 8 hours), Azure will issue the assertion without triggering the authentication.
In older versions of FortiClient, support of cookie for FortiClient had not been fully implemented and as a result, every time the users wanted to connect to VPN, they had to put in the credentials again.
The only way you can force re-authentication for each connection attempt is to remove the cookie of FortiClient manually (i believe you need to remove from temp folder in windows)

 

 

Icebun
New Contributor III

Thanks for all the responses, I am pursuing an option to upgrade to 7.x EMS so I think this might help resolve some of the issues.

 

 

Icebun
New Contributor III

I have now upgraded to EMS 7.0.4 and can now deploy EMS Forticlient 7.0.5.

 

When signing in with SAML, I can see that I do not need sign in again with my O365 credentials whilst the cached cookie maintains the credentials details.

 

Does anyone know if it is possible to pre-capture the email address so the user only needs to enter in the password?

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors