Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ClaimFtN
New Contributor

SSL-VPN SAML Timer

Hello Guys, 

 

can anyone explain to me the function behinde the SAML auth timer in the forticlient, i have tested a little bit but for me it is not possible to understand why this thing does this. 

 

Short explanation: 

I have tested a little bit with the conf sys global => remoteauthtimeout parameter here i changed the default value of 60 to 120 my expectation how the forticlient will act is that the saml auth timer will show 120 secs. for the authentication but it shows 240 seconds. 

 

Can anybody explain to me why the authtime is mulitplyed by 2 ? 

 

Thanks! 

7 REPLIES 7
ozkanaltas
Valued Contributor III

Hello @ClaimFtN ,

 

I think 240sec is related to your SAML IdP. Can you send us a screenshot of where you see 240 seconds?  

 

The point you set is how long FortiGate will keep the authentication session open. Before making this change, did the time appear as 120 seconds on FortiClient?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
ClaimFtN

Hello @ozkanaltas

 

i have the screenshots of both cases, here i have set the remoteauth timeout to 120 seconds and the client shows 240 seconds: 

Client_2.png

 

Gate_2png.png

Here i have set the remoteauth timeout to 60 seconds and the client shows 120 seconds:

Client.png

 

Gate.png

 

For me it is not understandable why the whole thing is multiplied by 2, in case it is an IDP thing the time should be always the same i guess. 

 

Best Regards!

pminarik
Staff
Staff

The builtin browser window that pops up in FortiClient indeed has a timeout within which you need to finish authenticating with your SAML IdP.

Note that the value has been changing between versions, at some point it was set to double the "remoteauthtimeout" on FortiGate (this value is sent to FortiClient during initial stages), but I believe that in newest versions it should be hardcoded to 300s.

[ corrections always welcome ]
ClaimFtN

I use forticlient in the version 7.2.3 and the gate is on fos 7.2.7 it seems that actually in the new firmwares it isnt hardcoded or something. 

 

pminarik

I've double-checked, and the hard-coded 300s is introduced only in 7.2.4 (FortiClient version, specifically).
Before that (7.2.3), it's 2 x remoteauthtimeout.

[ corrections always welcome ]
hbac
Staff
Staff

Hi @ClaimFtN,

 

Can you check the login timeout by running this command "show full vpn ssl setting | grep login-timeout"?

 

Regards, 

ClaimFtN
New Contributor

Hi, 

the login-timeout is the default and actually set to 180 seconds

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors