Hello Guys,
can anyone explain to me the function behinde the SAML auth timer in the forticlient, i have tested a little bit but for me it is not possible to understand why this thing does this.
Short explanation:
I have tested a little bit with the conf sys global => remoteauthtimeout parameter here i changed the default value of 60 to 120 my expectation how the forticlient will act is that the saml auth timer will show 120 secs. for the authentication but it shows 240 seconds.
Can anybody explain to me why the authtime is mulitplyed by 2 ?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @ClaimFtN ,
I think 240sec is related to your SAML IdP. Can you send us a screenshot of where you see 240 seconds?
The point you set is how long FortiGate will keep the authentication session open. Before making this change, did the time appear as 120 seconds on FortiClient?
Hello @ozkanaltas,
i have the screenshots of both cases, here i have set the remoteauth timeout to 120 seconds and the client shows 240 seconds:
Here i have set the remoteauth timeout to 60 seconds and the client shows 120 seconds:
For me it is not understandable why the whole thing is multiplied by 2, in case it is an IDP thing the time should be always the same i guess.
Best Regards!
The builtin browser window that pops up in FortiClient indeed has a timeout within which you need to finish authenticating with your SAML IdP.
Note that the value has been changing between versions, at some point it was set to double the "remoteauthtimeout" on FortiGate (this value is sent to FortiClient during initial stages), but I believe that in newest versions it should be hardcoded to 300s.
I use forticlient in the version 7.2.3 and the gate is on fos 7.2.7 it seems that actually in the new firmwares it isnt hardcoded or something.
Created on 05-22-2024 07:39 AM Edited on 05-22-2024 07:39 AM
I've double-checked, and the hard-coded 300s is introduced only in 7.2.4 (FortiClient version, specifically).
Before that (7.2.3), it's 2 x remoteauthtimeout.
Hi @ClaimFtN,
Can you check the login timeout by running this command "show full vpn ssl setting | grep login-timeout"?
Regards,
Hi,
the login-timeout is the default and actually set to 180 seconds
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.