Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.6.2 Administration Guide
    6.6.2
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Web services

    Web services

    The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page.

    The SSO portal sets a cookie on the user’s browser. When the user browses to a page containing the login widget, FortiAuthenticator recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user can select the Logout button in the widget.

    The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets, and Kerberos authentication.

    To configure FSSO web services configurations:
    1. Go to Fortinet SSO > Methods > Web Services.

      The Edit Web Services Configurations window opens.

    2. Configure the following settings:

      User Portal

      Enable SSO on self-service portal policies

      Select to use self-service portals as SSO login portal.

      Self-service portal policies

      Select self-service portal policies from the Self-service portal policies search box.

      Login timeout

      Set the maximum number of minutes a user is allowed to stay logged in before they are automatically logged out from SSO, between 1-10080 (maximum of one week, set by default).

      Maximum delay when redirecting to an external URL

      Set the delay in seconds that occurs when redirecting to an external URL, between 1-10 seconds, with a default of 7 seconds.

      Kerberos User Portal

      Enable Kerberos login for SSO

      Select Enable Kerberos login for SSO to enable Kerberos log in for SSO.

      Select Import keytab and enable to open the Import Keytab window where you can import a keytab from your computer.

      A keytab must be imported to enable Kerberos log in for SSO.

      See Kerberos for more information.

      Kerberos Principal

      View the Kerberos principal.

      SAML Portal

      Enable SAML portal

      Select Enable SAML portal to enable SAML Portal log in for SSO.

      SSO Web Service

      Enable SSO REST API

      Select Enable SAML portal to enable SAML Portal log in for SSO.

      SSO user type

      Specify the type of user that the client will provide:

      • External: Users not defined on FortiAuthenticator.

        User groups are retrieved from the source.

      • Local users: Users defined on FortiAuthenticator as local users.

        Users groups are retrieved from the local groups.

      • Remote users: Users defined on a remote LDAP server.

        User groups are retrieved form the remote LDAP server.

        From the dropdown, select a remote LDAP server.

    3. Click Save.

    Kerberos

    Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.

    A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass utility. The following code can be used in a batch file to simplify the keytab file creation:

    set OUTFILE=FortiAuthenticator.keytab

    set USERNAME=FortiAuthenticator@corp.example.com

    set PRINC=HTTP/FortiAuthenticator.corp.example.com@CORP.EXAMPLE.COM

    set CRYPTO=all

    set PASSWD=Pa$$p0rt

    set PTYPE=KRB5_NT_PRINCIPAL

    ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% -ptype %PTYPE%

    The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login Page HTML Redirect for Kerberos is as follows:

    <!DOCTYPE HTML>

    <html lang="en-US">

    <head>

    <meta charset="UTF-8">

    <meta http-equiv="refresh" content="1;url=http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%">

    <script type="text/javascript">

    window.location.href = http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%

    </script>

    <title>

    Page Redirection

    </title>

    </head>

    <body>

    If you are not redirected automatically, click on the link

    <a href='http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%'>

    http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url= %%PROTURI%%

    </a>

    </body>

    </html>

    Previous
    Next

    Web services

    Web services

    The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would embed the widget on its home page.

    The SSO portal sets a cookie on the user’s browser. When the user browses to a page containing the login widget, FortiAuthenticator recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To log out of FSSO immediately, the user can select the Logout button in the widget.

    The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets, and Kerberos authentication.

    To configure FSSO web services configurations:
    1. Go to Fortinet SSO > Methods > Web Services.

      The Edit Web Services Configurations window opens.

    2. Configure the following settings:

      User Portal

      Enable SSO on self-service portal policies

      Select to use self-service portals as SSO login portal.

      Self-service portal policies

      Select self-service portal policies from the Self-service portal policies search box.

      Login timeout

      Set the maximum number of minutes a user is allowed to stay logged in before they are automatically logged out from SSO, between 1-10080 (maximum of one week, set by default).

      Maximum delay when redirecting to an external URL

      Set the delay in seconds that occurs when redirecting to an external URL, between 1-10 seconds, with a default of 7 seconds.

      Kerberos User Portal

      Enable Kerberos login for SSO

      Select Enable Kerberos login for SSO to enable Kerberos log in for SSO.

      Select Import keytab and enable to open the Import Keytab window where you can import a keytab from your computer.

      A keytab must be imported to enable Kerberos log in for SSO.

      See Kerberos for more information.

      Kerberos Principal

      View the Kerberos principal.

      SAML Portal

      Enable SAML portal

      Select Enable SAML portal to enable SAML Portal log in for SSO.

      SSO Web Service

      Enable SSO REST API

      Select Enable SAML portal to enable SAML Portal log in for SSO.

      SSO user type

      Specify the type of user that the client will provide:

      • External: Users not defined on FortiAuthenticator.

        User groups are retrieved from the source.

      • Local users: Users defined on FortiAuthenticator as local users.

        Users groups are retrieved from the local groups.

      • Remote users: Users defined on a remote LDAP server.

        User groups are retrieved form the remote LDAP server.

        From the dropdown, select a remote LDAP server.

    3. Click Save.

    Kerberos

    Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.

    A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass utility. The following code can be used in a batch file to simplify the keytab file creation:

    set OUTFILE=FortiAuthenticator.keytab

    set USERNAME=FortiAuthenticator@corp.example.com

    set PRINC=HTTP/FortiAuthenticator.corp.example.com@CORP.EXAMPLE.COM

    set CRYPTO=all

    set PASSWD=Pa$$p0rt

    set PTYPE=KRB5_NT_PRINCIPAL

    ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% -ptype %PTYPE%

    The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login Page HTML Redirect for Kerberos is as follows:

    <!DOCTYPE HTML>

    <html lang="en-US">

    <head>

    <meta charset="UTF-8">

    <meta http-equiv="refresh" content="1;url=http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%">

    <script type="text/javascript">

    window.location.href = http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%

    </script>

    <title>

    Page Redirection

    </title>

    </head>

    <body>

    If you are not redirected automatically, click on the link

    <a href='http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url=%%PROTURI%%'>

    http://<FortiAuthenticator-fqdn>/login/kerb-auth?user_continue_url= %%PROTURI%%

    </a>

    </body>

    </html>

    Previous
    Next