As a seasoned network administrator, I have been tasked with integrating Microsoft Entra SSO with FortiGate SSL VPN for secure access to our corporate network. After conducting extensive research and testing, I have encountered an interesting issue that I would like to share with the community.

When using FortiClient vpn version 7.2.x.x to connect to our SSL VPN via Azure ID with SAML authentication, the connection fails in the first attempt every time. However, if I try again in the second or third attempt, the connection is established without the need for 2FA prompts. This behavior is inconsistent and unpredictable, making it challenging to diagnose and resolve.

At first, I suspected a configuration issue on the FortiClient firewall side or the Azure FortiGate SSL VPN application side. However, after thorough testing and analysis, I have ruled out these possibilities. The issue persists even when using the latest version of FortiClient vpn client version 7.0.x.x.x.

I have observed that the first attempt to connect always fails with a “Connection failed” message, but the subsequent attempts are successful without any 2FA prompts. This suggests that there might be some sort of caching or session management issue at play.

After further investigation, I discovered that the FortiClient vpn client version 7.0.x.x.x is using a different authentication mechanism than the version 7.2.x.x. This difference in authentication mechanisms could be causing the inconsistent behavior in connection establishment.

I propose that the issue might be related to the way FortiClient handles SSO sessions. When the first attempt to connect fails, it may be due to a timing issue or a misconfiguration in the FortiClient software. The subsequent attempts are successful because the SSO session has already been established, and FortiClient can use that session to establish the VPN connection without prompting for 2FA.

To resolve this issue, I suggest trying the following troubleshooting steps:

1. Check the FortiClient logs to see if there are any errors or warnings related to SSO sessions or VPN connections.

2. Verify that the FortiGate SSL VPN application is correctly configured and functioning properly.

3. Ensure that the Azure ID with SAML authentication is set up correctly and working as expected.

4. Try using a different version of FortiClient vpn client to see if the issue persists.

5. Check for any software updates or patches that might resolve the issue.

In conclusion, the inconsistent behavior in connecting to our SSL VPN via Azure ID with SAML authentication using FortiClient vpn client version 7.0.x.x.x is a challenging issue that requires further investigation and troubleshooting. I hope that sharing this experience will help others who may encounter similar issues in the future.