Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ClaimFtN
New Contributor

Created on ‎05-22-2024 06:24 AM

SSL-VPN SAML Timer

Hello Guys, 

 

can anyone explain to me the function behinde the SAML auth timer in the forticlient, i have tested a little bit but for me it is not possible to understand why this thing does this. 

 

Short explanation: 

I have tested a little bit with the conf sys global => remoteauthtimeout parameter here i changed the default value of 60 to 120 my expectation how the forticlient will act is that the saml auth timer will show 120 secs. for the authentication but it shows 240 seconds. 

 

Can anybody explain to me why the authtime is mulitplyed by 2 ? 

 

Thanks! 

Labels:
453
0 Kudos
7 REPLIES 7
ozkanaltas
Valued Contributor II

Created on ‎05-22-2024 06:40 AM

Hello @ClaimFtN ,

 

I think 240sec is related to your SAML IdP. Can you send us a screenshot of where you see 240 seconds?  

 

The point you set is how long FortiGate will keep the authentication session open. Before making this change, did the time appear as 120 seconds on FortiClient?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
443
0 Kudos
ClaimFtN
New Contributor
In response to ozkanaltas

Created on ‎05-22-2024 06:51 AM

Hello @ozkanaltas

 

i have the screenshots of both cases, here i have set the remoteauth timeout to 120 seconds and the client shows 240 seconds: 

Client_2.png

 

Gate_2png.png

Here i have set the remoteauth timeout to 60 seconds and the client shows 120 seconds:

Client.png

 

Gate.png

 

For me it is not understandable why the whole thing is multiplied by 2, in case it is an IDP thing the time should be always the same i guess. 

 

Best Regards!

434
0 Kudos
pminarik
Staff
Staff

Created on ‎05-22-2024 06:51 AM

The builtin browser window that pops up in FortiClient indeed has a timeout within which you need to finish authenticating with your SAML IdP.

Note that the value has been changing between versions, at some point it was set to double the "remoteauthtimeout" on FortiGate (this value is sent to FortiClient during initial stages), but I believe that in newest versions it should be hardcoded to 300s.

[ corrections always welcome ]
437
0 Kudos
ClaimFtN
New Contributor
In response to pminarik

Created on ‎05-22-2024 06:59 AM

I use forticlient in the version 7.2.3 and the gate is on fos 7.2.7 it seems that actually in the new firmwares it isnt hardcoded or something. 

 

419
0 Kudos
pminarik
Staff
Staff
In response to ClaimFtN

Created on ‎05-22-2024 07:39 AM Edited on ‎05-22-2024 07:39 AM

I've double-checked, and the hard-coded 300s is introduced only in 7.2.4 (FortiClient version, specifically).
Before that (7.2.3), it's 2 x remoteauthtimeout.

[ corrections always welcome ]
353
0 Kudos
hbac
Staff
Staff

Created on ‎05-22-2024 06:53 AM

Hi @ClaimFtN,

 

Can you check the login timeout by running this command "show full vpn ssl setting | grep login-timeout"?

 

Regards, 

429
0 Kudos
ClaimFtN
New Contributor
In response to hbac

Created on ‎05-22-2024 06:55 AM

Hi, 

the login-timeout is the default and actually set to 180 seconds

425
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.