Fortinet white logo
Fortinet white logo

Administration Guide

FSSO user groups

FSSO user groups

FSSO user groups can be retrieved directly from FSSO, from an LDAP server, via a remote FortiGate device, or by polling the active directory server. Groups can also be entered manually.

When user groups are retrieved from an LDAP server, the information is cached on FortiManager for 24 hours by default. After the time expires, the information is deleted from the cache. You can change the default setting by using the config system global command with the ldap-cache-timeout variable. For more information, see the FortiManager CLI Reference.

Note

When you upgrade an ADOM from 5.4 or 5.6 to 6.0.0 and later, objects are automatically moved from Policy & Objects > Object Configurations > User & Device > Single Sign-On to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.

To get groups from FSSO:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
  5. Enter a unique name for the agent in the Name field.
  6. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
  7. Select From FSSO Agents in the Select FSSO Groups field.
  8. Click Apply & Refresh. The Retrieve FSSO User Groups dialog box will open.

  9. Click Next. The groups are retrieved from the FSSO.
  10. Click OK. The groups can now be used in user groups, which can then be used in policies.
To get groups from an LDAP server:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
  5. Enter a unique name for the agent in the Name field.
  6. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
  7. Select groups from the Groups tab, then select Add Selected to add the groups.

    You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names.

  8. Select OK.
To get groups via a remote FortiGate:

The FortiGate device configuration must be synchronized or retrieving the FSSO user groups will fail. See Checking device configuration status.

  1. Go to Policy & Objects > Object Configurations.
  2. Expand Fabric Connectors, and select SSO/Identity.
  3. Click Create New > Fortinet Single Sign-On Agent from the dropdown list. The Create New Fortinet Single Sign-On Agent window opens.

  4. Enter a unique name for the agent in the Name field.
  5. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
  6. Select Via FortiGate in the Select FSSO Groups field.
  7. Click Apply & Refresh. The Retrieve FSSO User Groups wizard will open.

  8. Click Next to proceed with the wizard.
  9. Select the device that the FSSO groups will be imported from. This device must be registered to the FortiManager, its configuration must be synchronized, and it must be able to communicate with the FSSO server.
  10. Click Next. The FSSO agent is installed on the FortiGate, the FortiGate retrieves the groups, and then the groups are imported to the FortiManager.

  11. After the groups have been imported, click Finish. The imported groups will be listed in the User Groups field.

  12. Click OK. The groups can now be used in user groups, which can then be used in policies.

You must rerun the wizard to update the group list. It is not automatically updated.

To get groups from AD:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Poll Active Directory Server from the dropdown list.
  5. Configure the server name, local user, password, and polling.
  6. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
  7. Select groups from the Groups tab, then select Add Selected to add the groups.

    You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names.

  8. Select OK.

FSSO user groups

FSSO user groups

FSSO user groups can be retrieved directly from FSSO, from an LDAP server, via a remote FortiGate device, or by polling the active directory server. Groups can also be entered manually.

When user groups are retrieved from an LDAP server, the information is cached on FortiManager for 24 hours by default. After the time expires, the information is deleted from the cache. You can change the default setting by using the config system global command with the ldap-cache-timeout variable. For more information, see the FortiManager CLI Reference.

Note

When you upgrade an ADOM from 5.4 or 5.6 to 6.0.0 and later, objects are automatically moved from Policy & Objects > Object Configurations > User & Device > Single Sign-On to Policy & Objects > Object Configurations > Fabric Connectors > SSO/Identity.

To get groups from FSSO:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
  5. Enter a unique name for the agent in the Name field.
  6. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
  7. Select From FSSO Agents in the Select FSSO Groups field.
  8. Click Apply & Refresh. The Retrieve FSSO User Groups dialog box will open.

  9. Click Next. The groups are retrieved from the FSSO.
  10. Click OK. The groups can now be used in user groups, which can then be used in policies.
To get groups from an LDAP server:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Fortinet Single Sign-On Agent from the dropdown list.
  5. Enter a unique name for the agent in the Name field.
  6. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
  7. Select groups from the Groups tab, then select Add Selected to add the groups.

    You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names.

  8. Select OK.
To get groups via a remote FortiGate:

The FortiGate device configuration must be synchronized or retrieving the FSSO user groups will fail. See Checking device configuration status.

  1. Go to Policy & Objects > Object Configurations.
  2. Expand Fabric Connectors, and select SSO/Identity.
  3. Click Create New > Fortinet Single Sign-On Agent from the dropdown list. The Create New Fortinet Single Sign-On Agent window opens.

  4. Enter a unique name for the agent in the Name field.
  5. Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
  6. Select Via FortiGate in the Select FSSO Groups field.
  7. Click Apply & Refresh. The Retrieve FSSO User Groups wizard will open.

  8. Click Next to proceed with the wizard.
  9. Select the device that the FSSO groups will be imported from. This device must be registered to the FortiManager, its configuration must be synchronized, and it must be able to communicate with the FSSO server.
  10. Click Next. The FSSO agent is installed on the FortiGate, the FortiGate retrieves the groups, and then the groups are imported to the FortiManager.

  11. After the groups have been imported, click Finish. The imported groups will be listed in the User Groups field.

  12. Click OK. The groups can now be used in user groups, which can then be used in policies.

You must rerun the wizard to update the group list. It is not automatically updated.

To get groups from AD:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Object Configurations.
  3. Expand Fabric Connectors, and select SSO/Identity.
  4. Click Create New > Poll Active Directory Server from the dropdown list.
  5. Configure the server name, local user, password, and polling.
  6. Select an LDAP server from the dropdown list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
  7. Select groups from the Groups tab, then select Add Selected to add the groups.

    You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names.

  8. Select OK.