I have recently successfully set up our SSL-VPN with AzureAD SSO including MFA (conditional access)
Users are able to go through the process, sign in successfully and gain access, but there is a desire to extend the Azure MFA sign in window timeout process/prompts. By default, it appears there is a 30sec timer countdown set somewhere and it starts counting down in the sign-in window title bar as soon as the Azure window pops.
After doing some reading around these forums, on the FortiGate itself, i doubled the default timers for the 5 x "config sys global > set two-factor--xxxx" options but as expected, no change. I also up'ed the "config sys global > set remoteauthtimeout" to 10sec instead of the default 5.
***** set remoteauthtimeout 10 set switch-controller enable set timezone 71 set two-factor-email-expiry 120 set two-factor-fac-expiry 120 set two-factor-ftk-expiry 120 set two-factor-ftm-expiry 120 set two-factor-sms-expiry 120
I have loosely looked through Azure and can't find much. We aren't using any on-prem or server NPS.
Where is this time being controlled from? Is there a way to extend this timer to more than 30sec? And if so, where/how?
Please let me know if there is a requirement for specific versions and or set up to provide a better picture of my scenario.
- The main relevant timeout on FortiGate would be the remoteauthtimeout
-> that's how long the FortiGate will keep an SSLVPN authentication attempt active while waiting for a response from a remote server like SAML/LDAP/RADIUS
-> if this is too short, you would see issues with VPN not establishing after the SAML authentication - 'ERR_EMPTY_RESPONSE', or some HTTP errors, are quite common
-> increasing the remoteauthtimeout can help in those instances
If you have an issue with the MFA code/response not being accepted a certain time after you provide the user credentials, that's probably more on Azure side - Azure checks the credentials and MFA component, and would have related timers set somewhere (no idea where though), while FortiGate simply waits for the result of the authentication; FortiGate would not even be aware that there is an MFA component, as the entire authentication side is handled by Azure.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.