Fortinet white logo
Fortinet white logo
6.2.0

FSSO - Fortinet Single Sign-On

FSSO - Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.
  • Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose

Protocol/Port

LDAP group membership lookup (Global Catalog)

TCP/3268

LDAP domain controller discovery and group membership lookup

TCP/389

DC Agent keepalive and push logon info to CA

UDP/8002

CA keepalive and push logon info to FortiGate

TCP/8000

NTLM

TCP/8000

CA DNS

UDP/53

Workstation check, polling mode (preferred method)

TCP/445

Workstation check, polling mode (fallback method)

TCP/135, TCP/139, UDP/137

Remote access to logon events

TCP/445

Group lookup using LDAP

TCP/389

Group lookup using LDAP with global catalog

TCP/3268

Group lookup using LDAPS

TCP/636

Resolve FSSO server name

UDP/53

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
    Enable Windows event log polling (e.g. domain controllers/Exchange servers)Select for integration with Windows Active Directory
    Enable RADIUS Accounting SSO clientsSelect if you want to use a Remote RADIUS server.
    Enable Syslog SSOSelect for integration with Syslog server.
    Enable FortiClient SSO Mobility Agent Service

    Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

    Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  5. Select OK.

For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  3. Enter a Name, set Primary FSSO Agent either to the IP address of the FortiAuthenticator unit or a name, and enter a Password.
  4. Set Collector Agent AD access mode to either Standard, where you can specify Users/Groups, or Advanced, where you can specify an LDAP Server.
  5. Select OK.

    The FortiGate unit receives a list of user groups from the FortiAuthenticator unit or LDAP server. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

For more detailed FSSO configurations, see the FortiGate Cookbook.

CLI syntax

The following section contains commands to control FSSO.

user fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso

edit <name_str>

set name <string>

set [server | server2 | server3 | server4 | server5] <string>

set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password>

next

end

user fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling

edit <name_str>

set port <integer>

next

end

FSSO - Fortinet Single Sign-On

FSSO - Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets.
  • Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated.
  • RADIUS Accounting packets can be used to trigger an FSSO authentication.
  • Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose

Protocol/Port

LDAP group membership lookup (Global Catalog)

TCP/3268

LDAP domain controller discovery and group membership lookup

TCP/389

DC Agent keepalive and push logon info to CA

UDP/8002

CA keepalive and push logon info to FortiGate

TCP/8000

NTLM

TCP/8000

CA DNS

UDP/53

Workstation check, polling mode (preferred method)

TCP/445

Workstation check, polling mode (fallback method)

TCP/135, TCP/139, UDP/137

Remote access to logon events

TCP/445

Group lookup using LDAP

TCP/389

Group lookup using LDAP with global catalog

TCP/3268

Group lookup using LDAPS

TCP/636

Resolve FSSO server name

UDP/53

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:
  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
    Enable Windows event log polling (e.g. domain controllers/Exchange servers)Select for integration with Windows Active Directory
    Enable RADIUS Accounting SSO clientsSelect if you want to use a Remote RADIUS server.
    Enable Syslog SSOSelect for integration with Syslog server.
    Enable FortiClient SSO Mobility Agent Service

    Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

    Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  5. Select OK.

For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:
  1. Go to Security Fabric > Fabric Connectors and select Create New.
  2. Under SSO/Identity, select Fortinet Single-Sign-On Agent.
  3. Enter a Name, set Primary FSSO Agent either to the IP address of the FortiAuthenticator unit or a name, and enter a Password.
  4. Set Collector Agent AD access mode to either Standard, where you can specify Users/Groups, or Advanced, where you can specify an LDAP Server.
  5. Select OK.

    The FortiGate unit receives a list of user groups from the FortiAuthenticator unit or LDAP server. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:
  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:
  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

For more detailed FSSO configurations, see the FortiGate Cookbook.

CLI syntax

The following section contains commands to control FSSO.

user fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso

edit <name_str>

set name <string>

set [server | server2 | server3 | server4 | server5] <string>

set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password>

next

end

user fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling

edit <name_str>

set port <integer>

next

end