FortiClient 7.2.2.0864 SAML authentication not Cached

itservices3 · ‎10-20-2023

Following latest upgrade of Forticlient VPN X64 for Windows, Saml authentication are not stored anymore.

I began to observe this behavior on version 7.0.8 (was not the case before) and a nice post was explaining that ticking "do not modify internal browser cookies" will keep the authentication enable and remember the username.

We are using Okta.

But unfortunately, this does not work anymore on Forticlient 7.2.2.0864. even if the option is ticked.

I'm looking forward for a solution so the remember me feature will work. I just wonder why it keeps breaking at each update and this time no solution proposed.

Thanks

Jean-Philippe_P · ‎10-23-2023

Hello itservices3,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎10-25-2023

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Jean-Philippe - Fortinet Community Team

itservices3 · ‎10-26-2023

Thank you, can wait for a new version if needed. I've packaged the latest 7.0.9 version that does not have this issue for now but would have been nice to be able to deploy the 7.2.2 with latest security fixes.

fatihseyligli · ‎10-27-2023

Hello,

FortiClient's SSL VPN behavior was changed starting with version 7.0.8, it will no longer cache SAML credentials.
New behavior, when 'Remember Password' is unchecked, cookies associated with SAML are deleted.
Make sure that the 'Show "Remember Password" Option' is available and enabled under Advanced Settings of the VPN tunnel.

Docs.
=====================================================================
Home FortiClient 7.0.8 (Windows) Release Notes - Resolved issues
https://docs.fortinet.com/document/forticlient/7.0.8/windows-release-notes/22791/resolved-issues

FortiClient 7.0.9 EMS Administration Guide - SSL VPN
https://docs.fortinet.com/document/forticlient/7.0.9/ems-administration-guide/29925/ssl-vpn

FortiClient 7.0.9 Administration Guide - SAML support for SSL VPN
https://docs.fortinet.com/document/forticlient/7.0.9/administration-guide/402514/saml-support-for-ss...

Additionally;

Tag <dont_modify_cookies> means "Do Not Modify Internal Browser Cookies".

By default, the tag value is 0, it represents as un-selected on the FCT settings page. and it only applies to using an internal browser when saml-login. So it should be;

<ui>

...

<dont_modify_cookies>1</dont_modify_cookies>

</ui>

</system>

For more details, please check:

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Troubleshooting-FortiClient-Not-Saving-S...

Thanks & Regards

itservices3 · ‎10-27-2023

Hello,

Yes i did understand this, and I do not face the issue on version 7.0.8 or 7.0.9 after ticking "do not modify internal browser cookies".

the login name is kept of I hit remember credentials for next connection which is good.

It will also log me in directly within 15mn windows frame without asking me for MFA.

However on version 7.2.2, despite ticking the same option and remembering the credentials, no username are kept once I'm disconnected and attempt to reconnect.

this only occurs with version 7.2.2 so I presume an issue with with particular version.

Thanks

PS : Please note that we do not have the option to remember the password as we do not use EMS. However we do need to store and remember the username to avoid having to retype it as every connection. which works perfectly fine on 7.0.8/7.0.9 and not anymore on 7.2.2

ManUnderConstruction · ‎10-29-2023

Hi,

I also noticed the same behaviour for our system. We do not encountered this before and only for 7.2.2 version.

MerriweatherRaven · ‎12-04-2023

Same issue here, still unresolved.

fatihseyligli · ‎12-04-2023

Hello,

Please test the issue with the latest build FortiClient 7.0.10. The behavior is changed with 7.0.10.

Besides,

Please ensure the following items 1 and 2 have the correct configuration.

1. Save-password should be enabled in the FortiGate SSLVPN web portal. Please take full access for example as below:

config vpn ssl web portal

edit "full-access"

set tunnel-mode enable

set ipv6-tunnel-mode enable

set web-mode enable

set limit-user-logins enable

set auto-connect enable

set keep-alive enable

set save-password enable

end

In the meantime, please also make sure

2. Go to EMS -> Remote Access, choose the tunnel, edit, Advanced Settings -> Show "Remember Password" Option -> ON.

If the switch is enabled, then FCT GUI should display a save-password checkbox for the tunnel, otherwise it's disabled.

Thanks & Regards

Fatih Seyligli

itservices3 · ‎12-12-2023

Sadly, this issue also occurs with the new 7.0.10 Build 0538 version.

sso connection is not cached anymore and username does not remain. it has to be re-entered at each new connection which is extremely painful.

the option "do not modify internal browser cookies" is already ticked but that does not change anything. (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_UI)dont_modify_cookies=1

We are not using EMS, but simply the vpn client via SSO using OKTA. The issue did not occurr with version 7.0.9 Build 0493 (this is the latest version you can use to keep your username and sso cache authentication).

will this be sorted in the future ?