Is there another IPsec VPN Client apart from FortiClient that supports SAML/SSO?

I’m in the lookout for a new VPN Client as FortiClient has been a pain in the behinds. Especially as some core features are behind a paywall…

I’m currently seeking alternatives that support SSO. Unfortunately i’m not aware of any.

Is there any client VPN you guys use that is much better than FortiClient and support SSO?

There is no standard for implementing SAML in IPsec, so that’s a no in that regard.

Different FW product. We do SAML/SSO Entra ID with user Cert on the Palo Alto boxes. Absolutely of no use with the Fortigate though.

Why would you ask for an alternative for the fortinet product in the fortinet subreddit?

Not sure about SSO, but we switched to TailScale for our remote VPN client access and it’s been so much better than Forticlient. It’s much easier to setup and much easier to use. For site to site though, we still use Fortigate IPSec. Check out the TailScale in the Apple and Google Play store and you can see the reviews there and what the interface looks like.

How is this working with routing? I got this working on a Windows on ARM (as there is no client yet) but once connected no traffic will flow through the VPN connection. What I found was that there is no gateway after the VPN connection is made.

To be fair, there is no standard for SSL VPN with SAML, but there are several Fortigate-compatible SSL VPN clients with SAML support.

OpenConnect is particularly nice.

Unfortunately none of them do IPsec.

Because FortiClient isn’t a particularly high quality VPN client. There are lots of complaints about it on several different networking subreddits

Yeah, but SSLVPN isn’t a standard…it’s proprietary for each vendor. OpenConnect and the other 3rd party VPN clients just reverse-engineered the protocol to pretend to be the vendor’s VPN client. It is easier for these clients to facilitate SAML with SSLVPN, since it’s an SSL/TLS tunnel and a secure connection to a website for auth isn’t outside of the protocol’s capabilities. Still not a great idea to use them, though, since it’s wholly unsupported. If you run into issues, you’re on your own. If Fortinet patches something and it breaks OpenConnect, they’re not going to help you and your remote users will be SoL.

IPSec is an open standard for VPN connections, but SAML Auth with IPSec is not part of that standard. As such, any non-standard authentication needs to be layered on top of the protocol, and wouldn’t be supported. In this case, a proprietary client (like FortiClient for Fortinet or GlobalProtect for PAN) is required.

Then go and ask there!?

Would love to have the fortigate config as well.

That would be great if you could share the config even if it is basic.

So far Fortinet has broken FortiClient more times than I care to remember and broken OpenConnext zero times, so I know which basket I would put my eggs into if it was just about VPN reliability…

There is nothing stopping OpenConnect from adding SAML+IPsec support. The primary developer has indicated that he is open to do it but that he does not find it exciting.

This is where the Fortinet guys are… the guys who will know best

Lol. You got down voted but you hit the hammer on the nail

Fortinet guys use forticlient.

Yea people these days

I hope I never have to work with you or anyone else so religious about a product.

Has nothing to do with this. But why would you ask about none fortinet products in the fortinet subreddit? It doesn’t make any sense.

Such a crazy statement. Do Fortinet products exist in isolation? You only have Fortinet products in your company? They are not connected to any other products? The OP asked about using another VPN client with Fortigates.

You are just being a silly gatekeeper IMHO. If have no idea why. Is it another of those my-product-is-my-identity thing? If it bothers you so much, start a ONLY-FORTINET subreddit maybe.