- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN SAML Timer
Hello Guys,
can anyone explain to me the function behinde the SAML auth timer in the forticlient, i have tested a little bit but for me it is not possible to understand why this thing does this.
Short explanation:
I have tested a little bit with the conf sys global => remoteauthtimeout parameter here i changed the default value of 60 to 120 my expectation how the forticlient will act is that the saml auth timer will show 120 secs. for the authentication but it shows 240 seconds.
Can anybody explain to me why the authtime is mulitplyed by 2 ?
Thanks!
- Labels:
-
FortiClient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ClaimFtN ,
I think 240sec is related to your SAML IdP. Can you send us a screenshot of where you see 240 seconds?
The point you set is how long FortiGate will keep the authentication session open. Before making this change, did the time appear as 120 seconds on FortiClient?
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ozkanaltas,
i have the screenshots of both cases, here i have set the remoteauth timeout to 120 seconds and the client shows 240 seconds:
Here i have set the remoteauth timeout to 60 seconds and the client shows 120 seconds:
For me it is not understandable why the whole thing is multiplied by 2, in case it is an IDP thing the time should be always the same i guess.
Best Regards!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The builtin browser window that pops up in FortiClient indeed has a timeout within which you need to finish authenticating with your SAML IdP.
Note that the value has been changing between versions, at some point it was set to double the "remoteauthtimeout" on FortiGate (this value is sent to FortiClient during initial stages), but I believe that in newest versions it should be hardcoded to 300s.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use forticlient in the version 7.2.3 and the gate is on fos 7.2.7 it seems that actually in the new firmwares it isnt hardcoded or something.
Created on ‎05-22-2024 07:39 AM Edited on ‎05-22-2024 07:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've double-checked, and the hard-coded 300s is introduced only in 7.2.4 (FortiClient version, specifically).
Before that (7.2.3), it's 2 x remoteauthtimeout.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ClaimFtN,
Can you check the login timeout by running this command "show full vpn ssl setting | grep login-timeout"?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the login-timeout is the default and actually set to 180 seconds
