Created on 05-05-2022 08:14 PM Edited on 12-25-2022 09:44 PM By Anthony_E
This article explains why FortiClient will not prompt for credentials after first successful login using SAML method. This article also lists workarounds and future permanent solution.
FortiGate, FortiClient or Web Browser with SAML Authentication.
After the first login, SAML login credentials are cached by the embedded browser cookies, which causes subsequent login attempts to bypass credentials and MFA if configured.
This is the current behavior and the option 'Save login' does not apply to SAML authentication method.
Workaround Options:
1) For Windows clients, delete the 'Cookies' file as per KB Article below:
Technical Tip: Disabling auto caching on VPN login using SAML
2) Shutdown FortiClient and re-launch it, but this option may be locked if connected to Telemetry (EMS).
3) If web-mode is used, perform login from a "Private Window" (Firefox), "InPrivate Window" (Microsoft Edge), or "Incognito" (Google Chrome).
4) If FortiClient is managed by FortiClient EMS, then On-Disconnect script may be leveraged.
From EMS Server, edit the desired SSL VPN tunnel from a "Remote Access" profile, and add this line to a "On Disconnect" script:
del /s C:\users\%username%\AppData\Local\FortiClient\cookies
A permanent fix is in discussion with Development and it is planned for future releases of FortiClient 6.4, 7.0, and 7.2, which should have a global option for 'Save login' to encompass SAML authentication method as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.