Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jespera
New Contributor II

iOS FortiClientVPN SSO/SAML displaying blank page

Hi

I have a issue I hope someone here can assist me with!

 

My customer uses FortiClientVPN on +40 Windows clients, using SSO/SAML to connect to a FortiGate 1500D through O365 Azure - and it works flawlessly. 1500D firmware is v6.4.7,build1911,210825 (GA).

 

The customer has a number of Apple iPads, where I have been trying to get the FortiClient VPN app to work. But when connecting the logon page to O365 is just blank, it never loads the webpage. The settings are exactly the same as the Windows clients. I have tried with iOS devices that run version 15.2.1 and 12.5.5. There result is also the same if I use a trial for the "FortiClient" paid app.

 

I thought maybe it's a browser issue, so I tried changing the default browser on the iOS devices to both Chrome and Firefox, but nothing changed. I'm not sure if the FortiVPN app even registers the change.

 

See the screenshot below showing what I mean with the "blank page".

 

Please advise - and thanks in advance! :)

 

jespera_0-1644397505640.jpeg

 

24 REPLIES 24
Belshire
New Contributor

I think we figured it out, at least for our situation. This particular user was using the instructions given for the windows client. For the windows client, you can include the port in the HOST URL line, so something like: https://hostname.domain.com:8443 (we use a different port than the default). The windows client figures out that you're supplying the port and it knows what to do with it. The iOS client does NOT, so it wasn't working correctly. Once we stripped it off the URL and entered it into the PORT field it worked for us. I hope this helps. 

 

I didn't notice this because I was trying to trouble-shoot over the phone. Once we could see it in person it all fell into place. 

jespera
New Contributor II

Hi Belshire

I see your point. But we use default port 443, the link we use is like this https://vpn.hosting.com:443/customername , because it's used for lots of customers.

I tried writing it without the port number in the host field anyway, but it didn't make a difference.

 

Thanks for the suggestion though. 

Debbie_FTNT
Staff
Staff

Hey guys,

what FortiGate versions are you using?

First feedback from the developers is to try FortiOS 7.0.1 or higher, as that allows FortiClient iOS to utilize SafariView, which might help with the issue.

If you are not on FortiGate version 7.0.1 or higher, can you upgrade if possible?

If you are on that version or higher, can you let me know (and also let me know what FortiGate version you are on exactly)?

Many thanks!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
jespera
New Contributor II

Hi Debbie

Firmware is v6.4.7,build1911,210825 (GA) on a 1500D. 

I'm afraid I don't have the right permissions to update it to 7.xx, and the people responsible says it probably will be +12 months before they do. 

 

I have a different FortiGate 60E with fw version 7.0.5 though. I'm going to test with that one instead later, but it's going to take some time before I have the time and capacity to set it up and test. Will report back when I have tried it out.

Debbie_FTNT

Hey jespera,

thanks for letting me know, I look forward to hearing back from you :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
mjester

We are having the same issue as jespera.  It looks like it only occurs if you use realms.  We are on a 600D and have many users trying to use SAML via iOS unsuccessfully.  We thought that the FortiClient 7.0.3 would fix this, but it does not.  We also noticed in the 6.4.9 firmware that BUG ID 695386 should fix SAML login failure for users who belong to multiple groups associated with multiple VPN realms.  However, we are still facing the same issue.

 

Unfortunately, we cannot upgrade our 600D to the 7.0.X firmware, so i'm not sure where that leaves us.  Getting the FortiClient team to update the software for this fix has been frustrating.

Kangming

Hi Jespera,

Any update for v7.0.6?

Thanks

Thanks

Kangming

somejoe

Unfortunately, this still does not work with the 7.0.6 client. I still get a blank page. Oddly enough, when running the iPadOS version on an M1 MacBook it does work, just not on an iPad (or iPhone).

 

In any case, you always have to re-enter your credentials, suggesting that the safariview used is not remembering/storing anything.

Kangming

Hi 

We can't reproduce it in the lab. Can we submit a ticket for TAC to look at it remotely, or provide a remote test account?

Thank you.

Thanks

Kangming

somejoe

I am more than happy to show you what happens in a remote session. 
 
A test account is a bit more involved as this is our production environment. I would first have to add your test user to our Azure AD and then somehow not give it any access to our network.