FSSO - Fortinet Single Sign-On
Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:
- Users can authenticate through a web portal and a set of embeddable widgets.
- Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
- Users authenticating against Active Directory can be automatically authenticated.
- RADIUS Accounting packets can be used to trigger an FSSO authentication.
- Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.
Below are the TCP/UDP ports used by the multiple FSSO modes:
Purpose |
Protocol/Port |
---|---|
LDAP group membership lookup (Global Catalog) |
TCP/3268 |
LDAP domain controller discovery and group membership lookup |
TCP/389 |
DC Agent keepalive and push logon info to CA |
UDP/8002 |
CA keepalive and push logon info to FortiGate |
TCP/8000 |
NTLM |
TCP/8000 |
CA DNS |
UDP/53 |
Workstation check, polling mode (preferred method) |
TCP/445 |
Workstation check, polling mode (fallback method) |
TCP/135, TCP/139, UDP/137 |
Remote access to logon events |
TCP/445 |
Group lookup using LDAP |
TCP/389 |
Group lookup using LDAP with global catalog |
TCP/3268 |
Group lookup using LDAPS |
TCP/636 |
Resolve FSSO server name |
UDP/53 |
Configuring the FortiAuthenticator
The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.
To configure FortiAuthenticator polling:
- Go to Fortinet SSO Methods > SSO > General.
- In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
- Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
- In the Fortinet Single Sign-On (FSSO) section, enter the following information:
Enable Windows event log polling (e.g. domain controllers/Exchange servers) Select for integration with Windows Active Directory Enable RADIUS Accounting SSO clients Select if you want to use a Remote RADIUS server. Enable Syslog SSO Select for integration with Syslog server. Enable FortiClient SSO Mobility Agent Service Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.
Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.
- Select OK.
For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.
Configuring the FortiGate
The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.
To add a FortiAuthenticator unit as SSO agent:
- Go to Security Fabric > Fabric Connectors and select Create New.
- Under SSO/Identity, select Fortinet Single-Sign-On Agent.
- Enter a Name, set Primary FSSO Agent either to the IP address of the FortiAuthenticator unit or a name, and enter a Password.
- Set Collector Agent AD access mode to either Standard, where you can specify Users/Groups, or Advanced, where you can specify an LDAP Server.
- Select OK.
The FortiGate unit receives a list of user groups from the FortiAuthenticator unit or LDAP server. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.
FSSO user groups
You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.
To create an FSSO user group:
- Go to User & Device > User Groups and select Create New.
- Enter a Name for the group.
- Set Type to Fortinet Single Sign-On (FSSO).
- Add Members. The groups available to add as members are SSO groups provided by SSO agents.
- Select OK.
Configuring the FortiClient SSO Mobility Agent
In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.
To configure FortiClient SSO Mobility Agent:
- In FortiClient, go to File > Settings.
- Under Advanced, select Enable Single Sign-On mobility agent.
- In Server address, enter the IP address of the FortiAuthenticator.
- In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
- Enter the Pre-shared key.
- Select OK.
For more detailed FSSO configurations, see the FortiGate Cookbook.
CLI syntax
The following section contains commands to control FSSO.
user fsso
The following command will set the server address, port, and password for multiple FSSO agents.
config user fsso
edit <name_str>
set name <string>
set [server | server2 | server3 | server4 | server5] <string>
set [port | port2 | port3 | port4 | port5] <integer>
set [password | password2 | password3 | password4 | password5] <password>
next
end
user fsso-polling
The following command will set the Active Directory server port.
config user fsso-polling
edit <name_str>
set port <integer>
next
end