I am trying to migrate from using user identity certificates to MFA via Azure SAML. I have the SSO setup configured, and I believe its working. When I check SSO option under FortiClient the Certificate selection is removed and the login fails reporting client SSL certificate required. Logs do show correct username and group login OK. Since the SSL-VPN setting for Require certificates is global (Fortigate 300D with 6.4.8) I can't disable it for SSO group and leave it enabled for old Radius groups.
Is there any way to work around the certificate for SSO so that I can have users gradually switch over to the new process then remove certificate requirement once complete and old Radius authentication groups are removed?
I did try using web based VPN, since browser prompts for Certificate prior to login it does succeed using SSO.
I also tried copying the registry value (DATA3) which appears to contain the certificate setting from the old connection entry to the new one with SSO on the FortiClient tunnels registry entries. The client appears to just ignore it.
Welcome to Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!
You will be able to enable/disable a setting called " client-cert " in the authentication rule for respective user group. This can only be done through cli. Please find the below link for the article which explains further
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.