Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
perklit
New Contributor II

Created on ‎04-21-2023 01:14 AM

SSL VPN - Azure conditional access - sign-in frequency ignored - forticlient 7.0.8.0427

We are using Forticlient SAML login with Azure AD.

When logging in, the users enters mail address, password and MFA, and it all works.

However, we have setup the conditional access with a 'Sign-in frequency' of 7 days, but the user is prompted for login every time.

We set it up using the client v7.0.7, and it worked perfectly, but after v7.0.8 we get prompted every time. 

If we change the tunnel settings to 'Use External Browser as User-agent for SAML Login', a browser tab is opened and then it works - only the first time the user is prompted for login. Any consecutive logins is done automatic (this is not ideal to use permanently as it looks weird with the open browser tab).

So to sum up, is seems that from v7.0.7 to 7.0.8 the Forticlient built in prompt doesn't save your credentials.

 

Any suggestions, 

Thanks in advance, Per.

Labels:
1437
9 REPLIES 9
pfournier
New Contributor II

Created on ‎04-21-2023 06:41 AM

Having the same issue here, its asking for credentials every single time. 

1409
0 Kudos
dips
New Contributor

Created on ‎04-21-2023 07:16 AM

Same here, encountering the exact same issue. 

1400
0 Kudos
perklit
New Contributor II

Created on ‎04-26-2023 02:02 AM

Info: response from Fortinet. It's a known bug (BUGID 0835436). I will update when I know more.

1291
Arxada_Corp
New Contributor

Created on ‎06-30-2023 04:54 PM

Any updates on this from Fortinet?

795
0 Kudos
perklit
New Contributor II

Created on ‎07-02-2023 11:09 PM

No update from Fortinet. They can't (or won't) say when they might be looking at it, whether it will be in a patch release, or if it might be resolved in v7.2.

So a bit disappointing...

738
0 Kudos
rockhead006
New Contributor

Created on ‎07-10-2023 01:40 AM

This was recommended by Fortinet Support for me, and it seemed to have worked:

 

In the Remote Access VPN profile:

Enable the "Show Remember Password" checkbox.

 

In the System profile,

Please, try setting the tag in the XML profile config to '1' and retest.

<system>

<ui>

...

<dont_modify_cookies>1</dont_modify_cookies>

</ui>

693
pfournier
New Contributor II
In response to rockhead006

Created on ‎07-11-2023 05:31 AM

Just to clarify this will store the password permanently though, not cache recent credentials? I want it to prompt again if its not used for say a week or so, I don't want their password stored permanently. 

655
0 Kudos
rockhead006
New Contributor
In response to pfournier

Created on ‎07-11-2023 06:00 AM

It depends on your Azure settings for reauthentication/session timeout (it may be under the Conditional Access policies). We have it set to timeout authentication after 1 hour. So if we disconnect and reconnect a VPN after 1 hour it will prompt for MFA again.

650
0 Kudos
perklit
New Contributor II

Created on ‎07-11-2023 02:46 AM

I can confirm, that the solution described by rockhead006 seems to work for us as well.

Still strange then though, that when reported to Fortinet they responded that it was a known bug, and that they haven't returned to me with this 'workaround'. Oh well... 

666
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.