FSSO user groups
FSSO user groups can be retrieved directly from FSSO, from an LDAP server, via a remote FortiGate device, or by polling the active directory server. Groups can also be entered manually.
When user groups are retrieved from an LDAP server, the information is cached on FortiManager for 24 hours by default. After the time expires, the information is deleted from the cache. You can change the default setting by using the config system global
command with the ldap-cache-timeout
variable. For more information, see the FortiManager CLI Reference.
To get groups from FSSO:
- Ensure you are in the correct ADOM.
- Go to Policy & Objects > Object Configurations.
- Expand Fabric Connectors, and select Endpoint/Identity.
- Click Create New > Fortinet Single Sign-On Agent from the drop-down list.
- Enter a unique name for the agent in the Name field.
- Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
- Select Collector Agent in the User Group Source field.
- Click Apply & Refresh. The Retrieve FSSO User Groups dialog box will open.
- Click Next. The groups are retrieved from the FSSO.
- Click OK. The groups can now be used in user groups, which can then be used in policies.
To get groups from an LDAP server:
- Ensure you are in the correct ADOM.
- Go to Policy & Objects > Object Configurations.
- Expand Fabric Connectors, and select Endpoint/Identity.
- Click Create New > Fortinet Single Sign-On Agent from the drop-down list.
- Enter a unique name for the agent in the Name field.
- Select Local in the User Group Source.
- Select an LDAP server from the drop-down list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
- Toggle Proactively Retrieve from LDAP Server to ON.
- Specify the value for the Search Filter and the Interval in minutes.
- For the Select LDAP Groups option, select Remote Server. Alternatively, select Manually Specify and specify the group names.
- Select OK.
To get groups via a remote FortiGate:
The FortiGate device configuration must be synchronized or retrieving the FSSO user groups will fail. See Checking device configuration status. |
- Go to Policy & Objects > Object Configurations.
- Expand Fabric Connectors, and select Endpoint/Identity.
- Click Create New > Fortinet Single Sign-On Agent from the drop-down list. The Create New Fortinet Single Sign-On Agent window opens.
- Enter a unique name for the agent in the Name field.
- Enter the IP address or name, password, and port number of the FSSO servers in the FSSO Agent field. Add and remove servers as needed by clicking the Add and Remove icons at the end of the rows.
- Select Via FortiGate in the Select FSSO Groups field.
- Click Apply & Refresh. The Retrieve FSSO User Groups wizard will open.
- Click Next to proceed with the wizard.
- Select the device that the FSSO groups will be imported from. This device must be authorized for central management by FortiManager, its configuration must be synchronized, and it must be able to communicate with the FSSO server.
- Click Next. The FSSO agent is installed on the FortiGate, the FortiGate retrieves the groups, and then the groups are imported to the FortiManager.
- After the groups have been imported, click Finish. The imported groups will be listed in the User Groups field.
- Click OK. The groups can now be used in user groups, which can then be used in policies.
You must rerun the wizard to update the group list. It is not automatically updated. |
To get groups from AD:
- Ensure you are in the correct ADOM.
- Go to Policy & Objects > Object Configurations.
- Expand Fabric Connectors, and select Endpoint/Identity.
- Click Create New > Poll Active Directory Server from the drop-down list.
- Configure the server name, local user, password, and polling.
- Select an LDAP server from the drop-down list. LDAP Servers can be added and configured from User & Device > LDAP Servers.
- Select groups from the Groups tab, then select Add Selected to add the groups.
You can also select Manually Specify in the Select LDAP Groups field, and then manually enter the group names.
- Select OK.