Version:

Version:


Table of Contents

More Links

FortiAPI documentation

New Features

Download PDF
Copy Link

Improve response time for direct FSSO login REST API

Upon receiving direct FSSO logon REST API requests, the FortiGate now returns the HTTP response code instantaneously and offloads the LDAP group membership query to a backend API. This improves response times, and prevents delays and backlogs when many requests are sent in a short time period.

Tooltip

The direct FSSO logon REST API was added to FortiOS in 6.4.4 to allow an authenticated user from a third party service to be queried against LDAP by the FortiGate for group membership. This provides SSO capabilities for the end user of the third party service when integrated with the FortiGate.

Example

This example compares the difference in HTTP response time before and after the feature implementation.

The following process flow occurs:

  1. A user logs on to the third party service.
  2. The third party service calls the REST API to relay the authenticated user to the FortiGate, so that the FortiGate can provide SSO service to this user.
  3. The FortiGate receives the HTTP POST request and responds immediately.
  4. In the meantime, the FortiGate sends the username to fnbamd to further query the user against LDAP for its group membership.
  5. The query is successful in the user group. The user, IP, and group are added to the firewall authentication table on the FortiGate.

Before

After

{
  "http_method":"POST",
  "status":"success",
  "http_status":200,
  "vdom":"root",
  "path":"user",
  "name":"firewall",
  "action":"auth",
  "serial":"FG4H1E0000000000",
  "version":"v7.0.4",
  "build":291
}
real   0m3.770s
user   0m0.048s
sys 0m0.020s
{
  "http_method":"POST",
  "status":"success",
  "http_status":200,
  "vdom":"root",
  "path":"user",
  "name":"firewall",
  "action":"auth",
  "serial":"FG4H1E0000000000",
  "version":"v7.2.0",
  "build":1095
}
real   0m0.115s
user   0m0.040s
sys 0m0.032s

Note the HTTP response time is shorter after the implementation.

More Links

Improve response time for direct FSSO login REST API

Upon receiving direct FSSO logon REST API requests, the FortiGate now returns the HTTP response code instantaneously and offloads the LDAP group membership query to a backend API. This improves response times, and prevents delays and backlogs when many requests are sent in a short time period.

Tooltip

The direct FSSO logon REST API was added to FortiOS in 6.4.4 to allow an authenticated user from a third party service to be queried against LDAP by the FortiGate for group membership. This provides SSO capabilities for the end user of the third party service when integrated with the FortiGate.

Example

This example compares the difference in HTTP response time before and after the feature implementation.

The following process flow occurs:

  1. A user logs on to the third party service.
  2. The third party service calls the REST API to relay the authenticated user to the FortiGate, so that the FortiGate can provide SSO service to this user.
  3. The FortiGate receives the HTTP POST request and responds immediately.
  4. In the meantime, the FortiGate sends the username to fnbamd to further query the user against LDAP for its group membership.
  5. The query is successful in the user group. The user, IP, and group are added to the firewall authentication table on the FortiGate.

Before

After

{
  "http_method":"POST",
  "status":"success",
  "http_status":200,
  "vdom":"root",
  "path":"user",
  "name":"firewall",
  "action":"auth",
  "serial":"FG4H1E0000000000",
  "version":"v7.0.4",
  "build":291
}
real   0m3.770s
user   0m0.048s
sys 0m0.020s
{
  "http_method":"POST",
  "status":"success",
  "http_status":200,
  "vdom":"root",
  "path":"user",
  "name":"firewall",
  "action":"auth",
  "serial":"FG4H1E0000000000",
  "version":"v7.2.0",
  "build":1095
}
real   0m0.115s
user   0m0.040s
sys 0m0.032s

Note the HTTP response time is shorter after the implementation.