Using HTTP Basic SSO
When an application uses a Credentials Management API to prompt for user credentials, you must enter the required information that can be validated either by the operating system or by the web application. You can specify your domain credentials information in either of the following formats:
- User Principal Name (UPN)
- Down-Level Logon Name
The UPN format is used to specify an Internet-style name, such as UserName@Example.Fortinet.com. Anatomy of a UPN presents an anatomy of a UPN:
|User name||The name of an account||JohnDoeII|
|Separator||The at sign (@)||@|
|UPN suffix||Also known as the domain name||Example.Fortinet.com|
The down-level logon name format specifies a domain and a user account in that domain, for example, DOMAIN\UserName. Anatomy of a down-level logon name highlights the components of a down-level logon name:
|NetBIOS domain name||Domain name||Domain|
|Separator||The backslash (\)||\|
|User account name||Also known as the login name||User name|
FortiADC supports HTTP basic SSO when Client Authentication Method is set to be either HTML Form Authentication or HTML Basic Authentication.
For HTTP basic SSO, FortiADC forwards the client’s credentials to the web application via the HTTP “Authorization” header. For example,
username/password "user1/fortinet" from a client is added to the HTTP header in the format
"Authorization: Basic dXNlcjE6Zm9ydGluZXQ=", and then forwarded to the back-end web application.
You can use either UPN or down-level logon name to log into a web application, and FortiADC adds the domain offload of your logon name for your convenience. Automatically adding the default domain prefix enables you to log in using your user name alone in environments where both user name and domain name are required for the same purpose. This feature comes in handy when you forget your domain name while trying to log into a web application..
Configure HTTP Basic SSO
Use the following steps to configure HTTP basic SSO authentication:
- Click User Authentication > Authentication Relay.
- Click Create New to open the configuration editor dialog.
- Make the desired entries or selections as described in HTTP Basic SSO authentication configuration.
- Click Save when done.
Specify the name of the authentication relay configuration.
Select HTTP Basic
Select either of the following:
|Domain Prefix Support||
This is a switch to enable or disable the default domain prefix function.
Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1’
When this option is enabled, the user can also successfully log in by only entering
‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.
The value will be added as the domain prefix when the Domain Prefix Support is enabled (above), and when the user inputs the username without the domain.
Note: The value of this domain prefix MUST be a valid NetBIOS domain name.