Fortinet black logo

Administration Guide

Creating FSSO connectors

Creating FSSO connectors

You can create SSO/identity connectors for Fortinet single sign-on (FSSO) agents.

FSSO is the authentication protocol by which users can transparently authenticate to FortiGate, FortiClient EMS, FortiAuthenticator, and FortiCache devices.

To create FSSO connectors:
  1. Go to Fabric View > Fabric > Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.
  2. Under Endpoint/Identity, select Fortinet Single Sign-on Agent.
  3. Configure the following options, and click OK:

    Name

    Type a name for the connector object.

    Type

    Select the FSSO connector type as either Active Directory / FortiAuthenticator or FortiNAC.

    FSSO Agent

    Complete the IP/Name, Password, and Port options for each unit that will act as an SSO agent.

    User Group Source

    Specify whether to get FSSO groups from a Collector Agents, Via FortiGate, or Local.

    User Groups

    Displays imported FSSO groups from the selected source.

    This field is only displayed when the User Group Source is Collector Agents or Via FortiGate.

    LDAP Server

    Select the LDAP server. You can create a new LDAP server by clicking the add icon, or choose an existing LDAP server from the dropdown list.

    This field is only displayed when the User Group Source is Local.

    Proactively Retrieve from LDAP

    (Optional) Toggle this field On to proactively retrieve from the LDAP server.

    Select LDAP Groups

    Select the LDAP groups by choosing Remote Server or Manually Specify.

    When Manually Specify is selected, you can add each LDAP group in the Group Name field.

    This field is only displayed when the User Group Source is Local.

    SSL

    (Optional) Toggle this field On to enable SSL encryption.

    When enabled, the SSL Trusted Certificate field is displayed where you can specify the SSL certificate.

    Per-Device Mapping

    (Optional) Toggle On to set per-device mappings between FortiGate units and FSSO agents, and then create the mappings. Toggle OFF to disable this feature.

    Advanced Options

    Expand to view and configure advanced options for Fortinet single sign-on agents. For details, see the FortiOS CLI Reference.

To configure the FSSO connector as a FortiClient EMS Connector, select the Type as FortiClient EMS, IP/Name as the Windows Server's IP and turn SSL to ON. Click Apply and Refresh. The connector gets a list of tags from the EMS server and shows them as User Groups. This is similar to the Active Directory groups in Windows Server.

Note

When you have an FSSO polling server configured on the FortiManager fabric connector, FortiManager will import and install all fsso-polling objects to managed FortiGate devices in the ADOM, including to devices that do not have references to the polling objects in their policies. user adgrp objects are also imported and installed if any fsso-polling objects are copied.

Creating FSSO connectors

You can create SSO/identity connectors for Fortinet single sign-on (FSSO) agents.

FSSO is the authentication protocol by which users can transparently authenticate to FortiGate, FortiClient EMS, FortiAuthenticator, and FortiCache devices.

To create FSSO connectors:
  1. Go to Fabric View > Fabric > Connectors, and click Create New. The Create New Fabric Connector wizard is displayed.
  2. Under Endpoint/Identity, select Fortinet Single Sign-on Agent.
  3. Configure the following options, and click OK:

    Name

    Type a name for the connector object.

    Type

    Select the FSSO connector type as either Active Directory / FortiAuthenticator or FortiNAC.

    FSSO Agent

    Complete the IP/Name, Password, and Port options for each unit that will act as an SSO agent.

    User Group Source

    Specify whether to get FSSO groups from a Collector Agents, Via FortiGate, or Local.

    User Groups

    Displays imported FSSO groups from the selected source.

    This field is only displayed when the User Group Source is Collector Agents or Via FortiGate.

    LDAP Server

    Select the LDAP server. You can create a new LDAP server by clicking the add icon, or choose an existing LDAP server from the dropdown list.

    This field is only displayed when the User Group Source is Local.

    Proactively Retrieve from LDAP

    (Optional) Toggle this field On to proactively retrieve from the LDAP server.

    Select LDAP Groups

    Select the LDAP groups by choosing Remote Server or Manually Specify.

    When Manually Specify is selected, you can add each LDAP group in the Group Name field.

    This field is only displayed when the User Group Source is Local.

    SSL

    (Optional) Toggle this field On to enable SSL encryption.

    When enabled, the SSL Trusted Certificate field is displayed where you can specify the SSL certificate.

    Per-Device Mapping

    (Optional) Toggle On to set per-device mappings between FortiGate units and FSSO agents, and then create the mappings. Toggle OFF to disable this feature.

    Advanced Options

    Expand to view and configure advanced options for Fortinet single sign-on agents. For details, see the FortiOS CLI Reference.

To configure the FSSO connector as a FortiClient EMS Connector, select the Type as FortiClient EMS, IP/Name as the Windows Server's IP and turn SSL to ON. Click Apply and Refresh. The connector gets a list of tags from the EMS server and shows them as User Groups. This is similar to the Active Directory groups in Windows Server.

Note

When you have an FSSO polling server configured on the FortiManager fabric connector, FortiManager will import and install all fsso-polling objects to managed FortiGate devices in the ADOM, including to devices that do not have references to the polling objects in their policies. user adgrp objects are also imported and installed if any fsso-polling objects are copied.