Fortinet white logo
Fortinet white logo

EMS Administration Guide

Configuring SSOMA with AD

Configuring SSOMA with AD

The FortiClient single sign on mobility agent (SSOMA) supports the following features:

  • Support for pure Microsoft Entra ID (formerly known as Azure Active Directory (AD)) mode. SSOMA sends the Entra ID domain and tenant ID to FortiAuthenticator in pure/native Entra ID mode.

  • Sends FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator.

  • Sets the SNI field when communicating with FortiAuthenticator.

The following document uses two use cases to illustrate these features. Use case A illustrates a scenario using a local AD. Use Case B illustrates a scenario using a pure/native Entra ID or a hybrid Entra ID.

Use case A: local AD

  1. Configure FortiAuthenticator:

    1. In FortiAuthenticator, go to Fortinet SSO Methods > SSO > General.

    2. Toggle on Enable FortiClient SSO Mobility Agent Service.

    3. In the FortiClient listening port field, enter 8001.

    4. Toggle on Enable authentication.

    5. In the Secret key field, enter the desired preshared key. In this example, it is Fortinet123!

    6. Go to Authentication > Remote Auth. Servers > LDAP.

    7. Add the remote authentication server. In this case, it is the local AD server.

  2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on the FortiAuthenticator:

    <fssoma> <enabled>1</enabled> <serveraddress>fac0824.local:8001</serveraddress> <presharedkey>Fortinet123!</presharedkey> </fssoma>

  3. After FortiClient connects to EMS and receives the profile changes, go to Settings. Under Advanced, confirm that SSOMA is enabled and the configuration is updated.
  4. Under Logging, click Export logs. Confirm that SSOMA sends the FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator:

    6/13/2023 11:38:04 AM debug fsso UUID:2ECE708... 6/13/2023 11:38:04 AM debug fsso strUsername:administrator, strAZDomain:MYFOREST.LOCAL 6/13/2023 11:38:26 AM debug fsso GetAZureSessionUserInfo(), Calling of RunExternalProgram is successful 6/13/2023 11:38:26 AM debug fsso GetAZureSessionUserInfo(), Calling of ParseConsoleOutput is failed, error:-1 6/13/2023 11:38:26 AM debug fsso session ID:2 has added to session table 6/13/2023 11:38:26 AM debug fsso Succeede to add session 2 6/13/2023 11:38:26 AM debug fsso Found current user, session ID: 2 6/13/2023 11:38:26 AM debug fsso CSessionManager::AddSession has been called, dwSession:65536 6/13/2023 11:38:26 AM debug fsso Failed to call WTSQueryUserToken for session ID:65536,error:2 6/13/2023 11:38:26 AM debug fsso Failed to get token for session ID:65536,error:2 6/13/2023 11:38:26 AM debug fsso failed to add session 65536 6/13/2023 11:38:26 AM debug fsso current active session 2 6/13/2023 11:38:26 AM debug fsso Found current logon session 2 in session list 6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress is called 6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress:1293 IPv4 address:192.168.90.2 6/13/2023 11:38:26 AM debug fsso EMS SN:FCTEMS8821090628 6/13/2023 11:38:26 AM debug fsso Start to resolve address for FortiAuthenticator:fac0824.local, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso Succeeded to resolve address for FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso SendAndReceive(), Local IP:192.168.90.2, FAC IP:172.19.200.110, FAC Port:8001, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso SendAndReceive(), succeeded to send event to authenticator, TID:9072 6/13/2023 11:38:26 AM debug fsso FortiAuthenticator config:fac0824.local:8001 6/13/2023 11:38:26 AM debug fsso Address Category:0 6/13/2023 11:38:26 AM info fsso date=2023-06-13 time=11:38:25 logver=1 id=96980 type=securityevent subtype=fsso eventtype=status level=info uid=2ECE708... devid=FCT8000... hostname=DESKTOP-JSOHIL9 pcdomain=myforest.local deviceip=192.168.90.2 devicemac=00-15-5d-23-03-0e site=default fctver=7.2.0.0690 fgtserial=N/A emsserial=FCTEMS88... usingpolicy=Default os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=administrator msg="Single Sign-On event" action=logon domain="MYFOREST.LOCAL,Workstation Name:DESKTOP-JSOHIL9,IP:192.168.90.2,FAC:172.19.200.110,succeeded to send session info, TICC:5894375, TID:9072"

Use case B: pure/native or hybrid Entra ID

  1. Configure Entra ID and add an enterprise application for FSSO:
    1. Sign in to the Entra ID portal as an administrator. Some configurations require a global administrator privilege.
    2. Create a user and ensure that users may join devices:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Users > New User. Configure a new user as desired.

      2. Go to Home > Manage Azure Active Directory > View button > Manage > Devices > Device Settings. Enable Users may join devices to Entra ID.
    3. Create an enterprise application:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Enterprise Applications > New Application > Create Your Own Application.

      2. Select Integrate any other application you don't find in the gallery (Non-gallery). Configure other settings as desired.

    4. Set the newly created enterprise application as a directory reader:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Roles and Administrators.

      2. In the Administrative Roles list, search for and select Directory Readers.

      3. Add Assignments > Search for the name of the newly created enterprise application > Add button.

    5. Register the enterprise application with the Microsoft Identity Platform and generate an authentication key:
      1. Go to Home > Manage Azure Active Directory > View button > Manage > App Registrations > All Applications.

      2. Search for and select the newly created enterprise application.

      3. Click Manage > Certificates & Secrets > New Client Secret.

      4. In the Add a Client dialog, set a description and expiry date, then click Add.

      5. Note down the string in the Value column. This value is only visible immediately after creation and will be hidden after you leave this page. You will use this value later.

  2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on the FortiAuthenticator, and to have FortiClient detect Azure user information and send it to FortiAuthenticator:
    <fssoma>
            <enabled>1</enabled>
            <serveraddress>fac0824.local:8001</serveraddress>
            <presharedkey>Fortinet123!</presharedkey>
            <prefer_azure>1</prefer_azure>
    </fssoma>
  3. In FortiAuthenticator, configure OAuth:
    1. Go to Authentication > Remote Auth. Servers > OAUTH > Create New.
    2. From the OAuth source dropdown list, select Azure Directory.
    3. In the Client ID field, enter the application ID of the enterprise application that you created. You can find the client ID in Azure by going to Home > Manage Azure Active Directory > View button > (in sidebar) Manage > Enterprise Applications > Search for Application Name.
    4. In the Client Key field, enter the value from the Value column in step 1.e.v.
    5. Enable Include for SSO.
    6. In the Azure AD tenant ID field, enter the tenant ID. You can find this value in Azure by going to Home > Manage Azure Active Directory > View button > Overview > Tenant ID. Click OK.

  4. Connect the endpoint with Entra ID. On the endpoint, go to Settings > Accounts. Beside Add a work or school account, click Connect.
  5. Install FortiClient on the endpoint. Go to Settings and verify that FortiClient has received the SSOMA configuration from EMS.
  6. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions. Confirm that there is an entry for the endpoint.
  7. In FortiClient, go to Settings > Logging and click Export logs. Confirm that SSOMA sends the FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator:

    6/13/2023 11:29:30 AM debug fsso GetAZureSessionUserInfo(), Calling of RunExternalProgram is successful 6/13/2023 11:29:30 AM debug fsso GetAZureSessionUserInfo(), username:jkim, domain:fortinetvan.onmicrosoft.com, tenantID:f1a72219-... 6/13/2023 11:29:30 AM debug fsso strAZUsername:jkim, strAZDomain:fortinet.onmicrosoft.com, strAZTenantID:f1a72219-... 6/13/2023 11:29:30 AM debug fsso session ID:2 has added to session table 6/13/2023 11:29:30 AM debug fsso Succeede to add session 2 6/13/2023 11:29:30 AM debug fsso Found current user, session ID: 2 6/13/2023 11:29:30 AM debug fsso CSessionManager::AddSession has been called, dwSession:65536 6/13/2023 11:29:30 AM debug fsso Failed to call WTSQueryUserToken for session ID:65536,error:2 6/13/2023 11:29:30 AM debug fsso Failed to get token for session ID:65536,error:2 6/13/2023 11:29:30 AM debug fsso failed to add session 65536 6/13/2023 11:29:30 AM debug fsso CSessionManager::AddSession has been called, dwSession:65537 6/13/2023 11:29:30 AM debug fsso Failed to call WTSQueryUserToken for session ID:65537,error:2 6/13/2023 11:29:30 AM debug fsso Failed to get token for session ID:65537,error:2 6/13/2023 11:29:30 AM debug fsso failed to add session 65537 6/13/2023 11:29:30 AM debug fsso current active session 2 6/13/2023 11:29:30 AM debug fsso Found current logon session 2 in session list 6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress is called 6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress:1325 IPv4 address:192.168.90.5 6/13/2023 11:29:30 AM debug fsso EMS SN:FCTEMS882... 6/13/2023 11:29:30 AM debug fsso Start to resolve address for FortiAuthenticator:fac0824.local, TICC:-1981885328, TID:9452 6/13/2023 11:29:30 AM debug fsso Succeeded to resolve address for FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:-1981885328, TID:9452 6/13/2023 11:29:30 AM debug fsso SendAndReceive(), Local IP:192.168.90.5, FAC IP:172.19.200.110, FAC Port:8001, TICC:-1981885312, TID:9452 6/13/2023 11:29:30 AM info fsso date=2023-06-13 time=11:29:29 logver=1 id=96980 type=securityevent subtype=fsso eventtype=status level=info uid=FDE6A554A2... devid=FCT800... hostname=Arjuna pcdomain=N/A deviceip=192.168.90.5 devicemac=00-15-5d-23-03-3f site=default fctver=7.2.1.0759 fgtserial=N/A emsserial=FCTEMS882... usingpolicy=Default os="Microsoft Windows 11 Professional Edition, 64-bit (build 22621)" user=jkim msg="Single Sign-On event" action=logon domain="fortinet.onmicrosoft.com,Workstation Name:Arjuna,IP:192.168.90.5,FAC:172.19.200.110,succeeded to send session info, TICC:-1981885234, TID:9452" 6/13/2023 11:29:30 AM debug fsso SendAndReceive(), succeeded to send event to authenticator, TID:9452 6/13/2023 11:29:30 AM debug fsso FortiAuthenticator config:fac0824.local:8001 6/13/2023 11:29:30 AM debug fsso Address Category:0

Configuring SSOMA with AD

Configuring SSOMA with AD

The FortiClient single sign on mobility agent (SSOMA) supports the following features:

  • Support for pure Microsoft Entra ID (formerly known as Azure Active Directory (AD)) mode. SSOMA sends the Entra ID domain and tenant ID to FortiAuthenticator in pure/native Entra ID mode.

  • Sends FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator.

  • Sets the SNI field when communicating with FortiAuthenticator.

The following document uses two use cases to illustrate these features. Use case A illustrates a scenario using a local AD. Use Case B illustrates a scenario using a pure/native Entra ID or a hybrid Entra ID.

Use case A: local AD

  1. Configure FortiAuthenticator:

    1. In FortiAuthenticator, go to Fortinet SSO Methods > SSO > General.

    2. Toggle on Enable FortiClient SSO Mobility Agent Service.

    3. In the FortiClient listening port field, enter 8001.

    4. Toggle on Enable authentication.

    5. In the Secret key field, enter the desired preshared key. In this example, it is Fortinet123!

    6. Go to Authentication > Remote Auth. Servers > LDAP.

    7. Add the remote authentication server. In this case, it is the local AD server.

  2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on the FortiAuthenticator:

    <fssoma> <enabled>1</enabled> <serveraddress>fac0824.local:8001</serveraddress> <presharedkey>Fortinet123!</presharedkey> </fssoma>

  3. After FortiClient connects to EMS and receives the profile changes, go to Settings. Under Advanced, confirm that SSOMA is enabled and the configuration is updated.
  4. Under Logging, click Export logs. Confirm that SSOMA sends the FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator:

    6/13/2023 11:38:04 AM debug fsso UUID:2ECE708... 6/13/2023 11:38:04 AM debug fsso strUsername:administrator, strAZDomain:MYFOREST.LOCAL 6/13/2023 11:38:26 AM debug fsso GetAZureSessionUserInfo(), Calling of RunExternalProgram is successful 6/13/2023 11:38:26 AM debug fsso GetAZureSessionUserInfo(), Calling of ParseConsoleOutput is failed, error:-1 6/13/2023 11:38:26 AM debug fsso session ID:2 has added to session table 6/13/2023 11:38:26 AM debug fsso Succeede to add session 2 6/13/2023 11:38:26 AM debug fsso Found current user, session ID: 2 6/13/2023 11:38:26 AM debug fsso CSessionManager::AddSession has been called, dwSession:65536 6/13/2023 11:38:26 AM debug fsso Failed to call WTSQueryUserToken for session ID:65536,error:2 6/13/2023 11:38:26 AM debug fsso Failed to get token for session ID:65536,error:2 6/13/2023 11:38:26 AM debug fsso failed to add session 65536 6/13/2023 11:38:26 AM debug fsso current active session 2 6/13/2023 11:38:26 AM debug fsso Found current logon session 2 in session list 6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress is called 6/13/2023 11:38:26 AM debug fsso CSessionManager::GetAllIPAddress:1293 IPv4 address:192.168.90.2 6/13/2023 11:38:26 AM debug fsso EMS SN:FCTEMS8821090628 6/13/2023 11:38:26 AM debug fsso Start to resolve address for FortiAuthenticator:fac0824.local, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso Succeeded to resolve address for FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso SendAndReceive(), Local IP:192.168.90.2, FAC IP:172.19.200.110, FAC Port:8001, TICC:5894281, TID:9072 6/13/2023 11:38:26 AM debug fsso SendAndReceive(), succeeded to send event to authenticator, TID:9072 6/13/2023 11:38:26 AM debug fsso FortiAuthenticator config:fac0824.local:8001 6/13/2023 11:38:26 AM debug fsso Address Category:0 6/13/2023 11:38:26 AM info fsso date=2023-06-13 time=11:38:25 logver=1 id=96980 type=securityevent subtype=fsso eventtype=status level=info uid=2ECE708... devid=FCT8000... hostname=DESKTOP-JSOHIL9 pcdomain=myforest.local deviceip=192.168.90.2 devicemac=00-15-5d-23-03-0e site=default fctver=7.2.0.0690 fgtserial=N/A emsserial=FCTEMS88... usingpolicy=Default os="Microsoft Windows 10 Professional Edition, 64-bit (build 19045)" user=administrator msg="Single Sign-On event" action=logon domain="MYFOREST.LOCAL,Workstation Name:DESKTOP-JSOHIL9,IP:192.168.90.2,FAC:172.19.200.110,succeeded to send session info, TICC:5894375, TID:9072"

Use case B: pure/native or hybrid Entra ID

  1. Configure Entra ID and add an enterprise application for FSSO:
    1. Sign in to the Entra ID portal as an administrator. Some configurations require a global administrator privilege.
    2. Create a user and ensure that users may join devices:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Users > New User. Configure a new user as desired.

      2. Go to Home > Manage Azure Active Directory > View button > Manage > Devices > Device Settings. Enable Users may join devices to Entra ID.
    3. Create an enterprise application:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Enterprise Applications > New Application > Create Your Own Application.

      2. Select Integrate any other application you don't find in the gallery (Non-gallery). Configure other settings as desired.

    4. Set the newly created enterprise application as a directory reader:

      1. Go to Home > Manage Azure Active Directory > View button > Manage > Roles and Administrators.

      2. In the Administrative Roles list, search for and select Directory Readers.

      3. Add Assignments > Search for the name of the newly created enterprise application > Add button.

    5. Register the enterprise application with the Microsoft Identity Platform and generate an authentication key:
      1. Go to Home > Manage Azure Active Directory > View button > Manage > App Registrations > All Applications.

      2. Search for and select the newly created enterprise application.

      3. Click Manage > Certificates & Secrets > New Client Secret.

      4. In the Add a Client dialog, set a description and expiry date, then click Add.

      5. Note down the string in the Value column. This value is only visible immediately after creation and will be hidden after you leave this page. You will use this value later.

  2. In EMS, edit the desired endpoint profile's XML configuration to match the IP address, port, and PSK configured on the FortiAuthenticator, and to have FortiClient detect Azure user information and send it to FortiAuthenticator:
    <fssoma>
            <enabled>1</enabled>
            <serveraddress>fac0824.local:8001</serveraddress>
            <presharedkey>Fortinet123!</presharedkey>
            <prefer_azure>1</prefer_azure>
    </fssoma>
  3. In FortiAuthenticator, configure OAuth:
    1. Go to Authentication > Remote Auth. Servers > OAUTH > Create New.
    2. From the OAuth source dropdown list, select Azure Directory.
    3. In the Client ID field, enter the application ID of the enterprise application that you created. You can find the client ID in Azure by going to Home > Manage Azure Active Directory > View button > (in sidebar) Manage > Enterprise Applications > Search for Application Name.
    4. In the Client Key field, enter the value from the Value column in step 1.e.v.
    5. Enable Include for SSO.
    6. In the Azure AD tenant ID field, enter the tenant ID. You can find this value in Azure by going to Home > Manage Azure Active Directory > View button > Overview > Tenant ID. Click OK.

  4. Connect the endpoint with Entra ID. On the endpoint, go to Settings > Accounts. Beside Add a work or school account, click Connect.
  5. Install FortiClient on the endpoint. Go to Settings and verify that FortiClient has received the SSOMA configuration from EMS.
  6. In FortiAuthenticator, go to Monitor > SSO > SSO Sessions. Confirm that there is an entry for the endpoint.
  7. In FortiClient, go to Settings > Logging and click Export logs. Confirm that SSOMA sends the FortiClient UUID and EMS serial number/tenant ID to FortiAuthenticator:

    6/13/2023 11:29:30 AM debug fsso GetAZureSessionUserInfo(), Calling of RunExternalProgram is successful 6/13/2023 11:29:30 AM debug fsso GetAZureSessionUserInfo(), username:jkim, domain:fortinetvan.onmicrosoft.com, tenantID:f1a72219-... 6/13/2023 11:29:30 AM debug fsso strAZUsername:jkim, strAZDomain:fortinet.onmicrosoft.com, strAZTenantID:f1a72219-... 6/13/2023 11:29:30 AM debug fsso session ID:2 has added to session table 6/13/2023 11:29:30 AM debug fsso Succeede to add session 2 6/13/2023 11:29:30 AM debug fsso Found current user, session ID: 2 6/13/2023 11:29:30 AM debug fsso CSessionManager::AddSession has been called, dwSession:65536 6/13/2023 11:29:30 AM debug fsso Failed to call WTSQueryUserToken for session ID:65536,error:2 6/13/2023 11:29:30 AM debug fsso Failed to get token for session ID:65536,error:2 6/13/2023 11:29:30 AM debug fsso failed to add session 65536 6/13/2023 11:29:30 AM debug fsso CSessionManager::AddSession has been called, dwSession:65537 6/13/2023 11:29:30 AM debug fsso Failed to call WTSQueryUserToken for session ID:65537,error:2 6/13/2023 11:29:30 AM debug fsso Failed to get token for session ID:65537,error:2 6/13/2023 11:29:30 AM debug fsso failed to add session 65537 6/13/2023 11:29:30 AM debug fsso current active session 2 6/13/2023 11:29:30 AM debug fsso Found current logon session 2 in session list 6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress is called 6/13/2023 11:29:30 AM debug fsso CSessionManager::GetAllIPAddress:1325 IPv4 address:192.168.90.5 6/13/2023 11:29:30 AM debug fsso EMS SN:FCTEMS882... 6/13/2023 11:29:30 AM debug fsso Start to resolve address for FortiAuthenticator:fac0824.local, TICC:-1981885328, TID:9452 6/13/2023 11:29:30 AM debug fsso Succeeded to resolve address for FortiAuthenticator:fac0824.local, FAC IP:172.19.200.110, TICC:-1981885328, TID:9452 6/13/2023 11:29:30 AM debug fsso SendAndReceive(), Local IP:192.168.90.5, FAC IP:172.19.200.110, FAC Port:8001, TICC:-1981885312, TID:9452 6/13/2023 11:29:30 AM info fsso date=2023-06-13 time=11:29:29 logver=1 id=96980 type=securityevent subtype=fsso eventtype=status level=info uid=FDE6A554A2... devid=FCT800... hostname=Arjuna pcdomain=N/A deviceip=192.168.90.5 devicemac=00-15-5d-23-03-3f site=default fctver=7.2.1.0759 fgtserial=N/A emsserial=FCTEMS882... usingpolicy=Default os="Microsoft Windows 11 Professional Edition, 64-bit (build 22621)" user=jkim msg="Single Sign-On event" action=logon domain="fortinet.onmicrosoft.com,Workstation Name:Arjuna,IP:192.168.90.5,FAC:172.19.200.110,succeeded to send session info, TICC:-1981885234, TID:9452" 6/13/2023 11:29:30 AM debug fsso SendAndReceive(), succeeded to send event to authenticator, TID:9452 6/13/2023 11:29:30 AM debug fsso FortiAuthenticator config:fac0824.local:8001 6/13/2023 11:29:30 AM debug fsso Address Category:0