Fortinet white logo
Fortinet white logo

Handbook

6.0.0

Single sign-on using a FortiAuthenticator unit

Single sign-on using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

  • Users can authenticate through a web portal on the FortiAuthenticator unit.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

User’s view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

Users without FortiClient Endpoint Security - SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

User not logged in. Click Login to go to the FortiAuthenticator login page.
User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

Users with FortiClient Endpoint Security - FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

Administrator’s view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

SSO widget

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication.

On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit.

Configuring the FortiAuthenticator unit

The FortiAuthenticator unit can poll FortiGate units, Windows Active Directory, RADIUS servers, LDAP servers, and FortiClients for information about user logon activity.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave the Listening port at 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall.
    Optionally, you can set the Login Expiry time. This is the length of time users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
  3. Select Enable Authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter
  5. Enable Windows Active Directory domain controllers Select for integration with Windows Active Directory.
    Enable Radius accounting SSO clients Select if you want to use a Remote Radius server.
    Enable Syslog SSO Select for integration with Syslog server.
    Enable FortiClient SSO Mobility Agent service

    Enable Authentication
    Select both options to enable single sign-on by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.
  6. Select OK.

For more information, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate unit

Adding a FortiAuthenticator unit as an SSO agent

On the FortiGate unit, you need to add the FortiAuthenticator unit as a Single Sign-On agent that provides user logon information.

To add a FortiAuthenticator unit as an SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single Sign-On Agent.
  3. Enter a Name for the FortiAuthenticator unit (in the example, FAC).
  4. In Primary FSSO Agent, enter the IP address of the FortiAuthenticator unit and password.
    On the FortiAuthenticator unit, go to Fortinet SSO Methods > SSO > General to define the secret key. Select Enable Authentication.
  5. Keep Collector Agent AD access mode set to Standard, and select OK.

The entry is shown in the SSO/Identity server list, with a green arrow indicating a successful connection. Select the plus-symbol to view the list of user groups that the FortiGate has received from the FortiAuthenticator.

When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

Configuring an FSSO user group

You cannot use FortiAuthenticator SSO user groups directly in a security policy. Create an FSSO user group and add FortiAuthenticator SSO user groups to it. FortiGate FSSO user groups are available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. In Type, select Fortinet Single Sign-On (FSSO).
  4. Add Members.
    The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring security policies

You can create identity-based policies based on FSSO groups as you do for local user groups. For more information about security policies see the Firewall chapter.

Configuring the FortiClient SSO Mobility Agent

The user’s device must have at least FortiClient Endpoint Security v5.0 installed. Only two pieces of information are required to set up the SSO Mobility Agent feature: the FortiAuthenticator unit IP address and the pre-shared secret.

The user needs to know the FortiAuthenticator IP address and pre-shared secret to set up the SSO Mobility Agent. Or, you could preconfigure FortiClient.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient Endpoint Security, go to File > Settings.
    You must run the FortiClient application as an administrator to access these settings.
  2. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address, including the listening port number specified on the FortiAuthenticator unit.
    Example: 192.168.0.99:8001. You can omit the port number if it is 8005.
  3. Enter the pre-shared key.
  4. Select OK.

Viewing SSO authentication events on the FortiGate unit

User authentication events are logged in the FortiGate event log, available in the GUI at Log & Report > User Events.

Single sign-on using a FortiAuthenticator unit

Single sign-on using a FortiAuthenticator unit

If you use a FortiAuthenticator unit in your network as a single sign-on agent,

  • Users can authenticate through a web portal on the FortiAuthenticator unit.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated by the FortiAuthenticator unit through the FortiClient SSO Mobility Agent.

The FortiAuthenticator unit can integrate with external network authentication systems such as RADIUS and LDAP to gather user logon information and send it to the FortiGate unit.

User’s view of FortiAuthenticator SSO authentication

There are two different ways users can authenticate through a FortiAuthenticator unit.

Users without FortiClient Endpoint Security - SSO widget

To log onto the network, the user accesses the organization’s web page with a web browser. Embedded on that page is a simple logon widget, like this:

User not logged in. Click Login to go to the FortiAuthenticator login page.
User logged in. Name displayed. Logout button available.

The SSO widget sets a cookie on the user’s browser. When the user browses to a page containing the login widget, the FortiAuthenticator unit recognizes the user and updates its database if the user’s IP address has changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days.

Users with FortiClient Endpoint Security - FortiClient SSO Mobility Agent

The user simply accesses resources and all authentication is performed transparently with no request for credentials. IP address changes, such as those due to WiFi roaming, are automatically sent to the FortiAuthenticator unit. When the user logs off or otherwise disconnects from the network, the FortiAuthenticator unit is aware of this and deauthenticates the user.

The FortiClient SSO Mobility Agent, a feature of FortiClient Endpoint Security v5.0, must be configured to communicate with the appropriate FortiAuthenticator unit. After that, the agent automatically provides user name and IP address information to the FortiAuthenticator unit for transparent authentication.

Administrator’s view of FortiAuthenticator SSO authentication

You can configure either or both of these authentication types on your network.

SSO widget

You need to configure the Single Sign-On portal on the FortiAuthenticator unit. Go to Fortinet SSO Methods > SSO > Portal Services to do this. Copy the Embeddable login widget code for use on your organization’s home page. Identity-based security policies on the FortiGate unit determine which users or groups of users can access which network resources.

FortiClient SSO Mobility Agent

Your users must be running at least FortiClient Endpoint Security v5.0 to make use of this type of authentication.

On the FortiAuthenticator unit, you need to select Enable FortiClient SSO Mobility Agent Service, optionally select Enable Authentication and choose a Secret key. Go to Fortinet SSO Methods > SSO > General. You need to provide your users the FortiAuthenticator IP address and secret key so that they can configure the FortiClient SSO Mobility Agent on their computers. See Configuring the FortiGate unit.

Configuring the FortiAuthenticator unit

The FortiAuthenticator unit can poll FortiGate units, Windows Active Directory, RADIUS servers, LDAP servers, and FortiClients for information about user logon activity.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave the Listening port at 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall.
    Optionally, you can set the Login Expiry time. This is the length of time users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
  3. Select Enable Authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter
  5. Enable Windows Active Directory domain controllers Select for integration with Windows Active Directory.
    Enable Radius accounting SSO clients Select if you want to use a Remote Radius server.
    Enable Syslog SSO Select for integration with Syslog server.
    Enable FortiClient SSO Mobility Agent service

    Enable Authentication
    Select both options to enable single sign-on by clients running FortiClient Endpoint Security. Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.
  6. Select OK.

For more information, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate unit

Adding a FortiAuthenticator unit as an SSO agent

On the FortiGate unit, you need to add the FortiAuthenticator unit as a Single Sign-On agent that provides user logon information.

To add a FortiAuthenticator unit as an SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single Sign-On Agent.
  3. Enter a Name for the FortiAuthenticator unit (in the example, FAC).
  4. In Primary FSSO Agent, enter the IP address of the FortiAuthenticator unit and password.
    On the FortiAuthenticator unit, go to Fortinet SSO Methods > SSO > General to define the secret key. Select Enable Authentication.
  5. Keep Collector Agent AD access mode set to Standard, and select OK.

The entry is shown in the SSO/Identity server list, with a green arrow indicating a successful connection. Select the plus-symbol to view the list of user groups that the FortiGate has received from the FortiAuthenticator.

When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

Configuring an FSSO user group

You cannot use FortiAuthenticator SSO user groups directly in a security policy. Create an FSSO user group and add FortiAuthenticator SSO user groups to it. FortiGate FSSO user groups are available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. In Type, select Fortinet Single Sign-On (FSSO).
  4. Add Members.
    The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring security policies

You can create identity-based policies based on FSSO groups as you do for local user groups. For more information about security policies see the Firewall chapter.

Configuring the FortiClient SSO Mobility Agent

The user’s device must have at least FortiClient Endpoint Security v5.0 installed. Only two pieces of information are required to set up the SSO Mobility Agent feature: the FortiAuthenticator unit IP address and the pre-shared secret.

The user needs to know the FortiAuthenticator IP address and pre-shared secret to set up the SSO Mobility Agent. Or, you could preconfigure FortiClient.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient Endpoint Security, go to File > Settings.
    You must run the FortiClient application as an administrator to access these settings.
  2. Select Enable single sign-on mobility agent. Enter the FortiAuthenticator unit IP address, including the listening port number specified on the FortiAuthenticator unit.
    Example: 192.168.0.99:8001. You can omit the port number if it is 8005.
  3. Enter the pre-shared key.
  4. Select OK.

Viewing SSO authentication events on the FortiGate unit

User authentication events are logged in the FortiGate event log, available in the GUI at Log & Report > User Events.