Improve response time for direct FSSO login REST API
Upon receiving direct FSSO logon REST API requests, the FortiGate now returns the HTTP response code instantaneously and offloads the LDAP group membership query to a backend API. This improves response times, and prevents delays and backlogs when many requests are sent in a short time period.
|
The direct FSSO logon REST API was added to FortiOS in 6.4.4 to allow an authenticated user from a third party service to be queried against LDAP by the FortiGate for group membership. This provides SSO capabilities for the end user of the third party service when integrated with the FortiGate. |
Example
This example compares the difference in HTTP response time before and after the feature implementation.
The following process flow occurs:
- A user logs on to the third party service.
- The third party service calls the REST API to relay the authenticated user to the FortiGate, so that the FortiGate can provide SSO service to this user.
- The FortiGate receives the HTTP POST request and responds immediately.
- In the meantime, the FortiGate sends the username to fnbamd to further query the user against LDAP for its group membership.
- The query is successful in the user group. The user, IP, and group are added to the firewall authentication table on the FortiGate.
|
Before |
After |
|---|---|
{
"http_method":"POST",
"status":"success",
"http_status":200,
"vdom":"root",
"path":"user",
"name":"firewall",
"action":"auth",
"serial":"FG4H1E0000000000",
"version":"v7.0.4",
"build":291
}
real 0m3.770s
user 0m0.048s
sys 0m0.020s
|
{
"http_method":"POST",
"status":"success",
"http_status":200,
"vdom":"root",
"path":"user",
"name":"firewall",
"action":"auth",
"serial":"FG4H1E0000000000",
"version":"v7.2.0",
"build":1095
}
real 0m0.115s
user 0m0.040s
sys 0m0.032s
|
Note the HTTP response time is shorter after the implementation.