This article describes an issue where ZTNA connections using SAML authentication may experience authentication loops when FortiClient establishes multiple sessions with inconsistent cookies.
Scope
FortiGate v7.4.8, any FortiClient from v7.2.4 up to v7.4.3.
Solution
Symptoms:
ZTNA connection fails after SAML authentication on Windows and Mac endpoints.
Users experience repeated re-authentication every 3–15 minutes.
Pop-ups appear, and traffic flows break.
Log entries show WAD rejecting FTNT-EP/AUTH with messages such as 'user cookie may be out of date. ignore it' and 'session cookie auth fail'.
Reproduction scenario:
Generate a ZTNA connection request from a test endpoint.
Complete SAML authentication successfully.
After the ZTNA connection is established, execute the following command on the FortiGate acting as ZTNA Gateway:
diagnose wad user clear
Generate communication from the endpoint to the ZTNA destination again.
The ZTNA connection should re-establish, but it fails, and the endpoint remains unable to connect.
