question

brizvi avatar image
0 Likes"
brizvi asked

Why does deauthenticating a SWG SSO user from FortiSASE not work ?

Tried deauthenticating a SWG SSO user from the FortiSASE GUI but the endpoint shows up again in the User Connection Monitor after a while and there is no prompt on the endpoint to authenticate again. Clearly this does not work! You guys suck!

FortiSASE
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

brizvi avatar image
0 Likes"
brizvi answered

If you deauthenticate a user from FortiSASE, the browser on the endpoint will not show a pop up to re-authenticate.

Since SAML uses IdP and SP, the form for user auth is handled by the IdP. Clearing WAD on the FortiGate doesn't invalidate the IdP cookie.

Manually clearing cookies in the browser should trigger re-authentication and show a pop up to enter credentials again.


10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Alexander McMillen avatar image
0 Likes"
Alexander McMillen answered

This action simply disconnects the user from SWG, which requires a new authorization.

If the user is still authorized for access on your idP (Azure AD, Okta, etc.) they can subsequently reconnect and authenticate to FortiSASE.

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space