- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiClient 7.2.2.0864 SAML authentication not...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient 7.2.2.0864 SAML authentication not Cached
Following latest upgrade of Forticlient VPN X64 for Windows, Saml authentication are not stored anymore.
I began to observe this behavior on version 7.0.8 (was not the case before) and a nice post was explaining that ticking "do not modify internal browser cookies" will keep the authentication enable and remember the username.
We are using Okta.
But unfortunately, this does not work anymore on Forticlient 7.2.2.0864. even if the option is ticked.
I'm looking forward for a solution so the remember me feature will work. I just wonder why it keeps breaking at each update and this time no solution proposed.
Thanks
Labels:
- Labels:
-
FortiClient
- « Previous
-
- 1
- 2
- Next »
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey itservices,
this should already be fixed in 7.2.2, but as I understand it, the setting (Remember password) in FortiClient needs to be pushed via EMS or via manual edit of the XML config file.
I have NOT been able to test this, but some digging turned up this registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\<tunnel>]
"show_remember_password"=dword:00000001
This make an option 'Remember Password' visible (the same as Fatih referred to), and enabling it should save both username and password for SAML authentication.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you but I don't believe that you understood the issue or what we are trying to achieve here.
Since version 7.2.2 and version 7.0.10 Forticlient VPN (without EMS) does not store anymore saml cache and username.
In previous versions, 7.0.8 or 7.0.9, you were able to initiate a saml connection with Okta or any other provider. when you connect to your connection, a pop up would appear asking you to enter your username and password and offer you the possibility to remember the username (Not the password). when you hit the remember box and apply by registry the settings "do to modify internal browser settings" you can connect to vpn correctly. if you disconnect and try reconnect within 15mn, the vpn will keep the saml settings and will not ask anymore for username/password and mfa.
After 15mn, when you attempt to reconnect with Okta, a pop up will come with your previous username already filled and you simply have to enter the password to get your MFA and connection successful.
Since 7.0.10 and 7.2.2 version, the remember me does not work anymore at all. it won't store the saml connection within the 15mn timerange and it will never keep the username. basically the remember me option is simply not working in these new versions. i'm pretty sure many other users are not using EMS and are facing the same issue but it seems Fortinet refuses to acknowledge the issue.
Created on 12-12-2023 03:14 AM Edited on 12-12-2023 03:31 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey itservices,
to quote from a developer (this is from Bug ID 947313, "SAML username is not saved after upgrade to 7.0.9"):
>>Could you please confirm in forticlient version 7.0.10 & 7.2.2 there is no way to save only username for SAML authentication. With 'save password' option we can save both username & credentials.
Hi [...],
Yes, that is the current implementation.
The 'save password' option, as Fatih mentioned above, can be made visible via EMS (and probably via the registry key I found), and then needs to be toggled on in the VPN settings for FortiClient to store the credentials again. Default behavior was changed: in earlier firmware versions, the setting was enabled by default, but this is no longer the case, to my understanding.
EDIT:
- the FortiClient has two remember options: 'Remember Username' and 'Remember Password'
-> 'Remember Username' worked for SAML incorrectly; it should not have worked for SAML authentication
-> 'Remember Password' should store username AND password for SAML connections
I hope this clarifies my earlier comment!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we can't save the username at all anymore? Saving the password is an absolute no go for us. It just does not make sense to do that. Since SAML uses their office 365 usernames its quite a pain to have users need to type this in every single time they want to connect, especially if they have any wifi issues and get disconnected.
This needs to be changed back to the way it was in 7.0.9. Otherwise it's going to be quite the headache to explain this to users. The decision may end up being to stick with 7.0.9, which is not a good idea either.
Is the only solution here to use an external browser for authentication? What a pain.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are at least having better luck than us. We are also an Okta shop and use it for idp for Forticlient vpn. We can not get the newer versions to work. They pass Okta but the firewall vpn won't connect.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Windows error Forticlient script error access... 40 Views
- FORTIWEB HTTP-CONTENT-ROUTING - X509 certificate 44 Views
- ZTNA Integration 47 Views
- FortiClient disconnects when opening up applications 100 Views
- FortiAuthenticator MFA - SAML 56 Views
Labels
-
FortiGate
6,637 -
FortiClient
1,323 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
418 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
250 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
154 -
6.4
128 -
FortiNAC
109 -
FortiGuard
105 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
72 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
28 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.