waf site-publish-helper rule
Use this command to configure access control, authentication, and, optionally, SSO for your web applications.
You may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the GUI) instead of configuring simple HTTP authentication rules if:
- Your users access multiple web applications on your domain
- You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server
SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your configuration) an HTML authentication form or HTTP WWW-Authenticate:
code to the client.
FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate..
For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your users will only need to authenticate once while using those resources.
Before you configure site publishing, you must first define the queries to your authentication server. For details, see user ldap-user and server-policy custom-application application-policy.
FortiWeb supports the following additional site publishing options:
- RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication)
- RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no password)
- Regular Kerberos authentication delegation and Kerberos constrained delegation
For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb Administration Guide:
https://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf site-publish-helper rule
edit "<site-publish-rule_name>"
set req-type {plain | regular}
set cookieless {enable | disable}
set saml-server "<server_name>"
set service-principal-name-pool "<pool_name>"
set published-site "<host_fqdn>"
set path "<url_str>"
set client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth}
set logoff-path-type {plain | regular}
set Published-Server-Logoff-Path "<url_str>"
set cookie-timeout <timeout_int>
set kerberos-type {krb5 | spnego}
set auth-server-pool "<authentication-server-pool_name>"
set form-based-delegation <form-based-delegation_name>
set field-name {subject | SAN}
set attribution-name {email | UPN}
set pass-failed-auth {enable | disable}
set delegated-spn "<delegated-spn_str>"
set delegator-spn "<delegator-spn_str>"
set prefix-support {enable | disable}
set prefix-domain "<prefix-domain_str>"
set alert-type {all | fail | none | success}
set sso-support {enable | disable}
set cookieless {enable | disable}
set append-custom-header {enable | disable}
set custom-header-name <custom-header-name_str>
set custom-header-value-format <custom-header-value-format_str>
set pass-failed-auth {enable | disable}
set cache-tgs-ticket {enable | disable}
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enable to activate this rule. This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy. |
enable
|
|
Select whether published-site "<host_fqdn>" contains a literal FQDN (plain ), or a regular expression designed to match multiple host names or fully qualified domain names (regular ). |
plain
|
|
Enable to authenticate clients without using cookies. For cookieless authentication, FortiWeb uses credential cache to avoid frequent requests to the authentication server. |
disable
|
|
You can set the cache timeout value for the cookieless authentication. The valid range is 0-86,400. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in. |
|
|
Select the SAML server that FortiWeb uses to authenticate clients. Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth} is set to |
No default. | |
Select the SPN pool for the application that clients access using this site publish rule. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
No default. | |
Depending on your selection in req-type {plain | regular}, enter either:
The maximum length is 256 characters. Note: Regular expressions beginning with an exclamation point ( |
No default. | |
Enter the URL of the request for the web application, such as /owa . It must begin with a forward slash ( / ). |
No default. | |
client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth} |
Specify one of the following options:
If waf site-publish-helper rule is |
html-form-auth
|
Specify whether Published-Server-Logoff-Path contains a literal URL (plain ), or a regular expression designed to match multiple URLs (regular ). |
||
This setting appears only if client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth} is Depending on the value of
Ensure that the value is a sub-path of the When a client logs out of the web application, FortiWeb redirects the client to its authentication dialog. Note:Regular expressions beginning with an exclamation point ( |
No default. | |
Specify the length of time (in minutes) that passes before the cookie that the site publish rule adds expires and the client must re-authenticate. The valid range is 0–216,000. To disable the limit, enter If waf site-publish-helper rule is If you enter a value of |
0 | |
Enter the name of the pool of servers that FortiWeb uses to authenticate clients. For details, see waf site-publish-helper authentication-server-pool. | No default. | |
auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} |
Specify one of the following options:
If waf site-publish-helper rule is Not available when rsa-securid {enable | disable} is set to |
no-delegation
|
field-name |
Enter the username format that FortiWeb uses to send the user email address to the RADIUS server for authorization. For example, let's say the email address of the user account is example@abc.com. If the format is USERNAME, FortiWeb will send If the format is RAWNAME, FortiWeb will send You can add any letter before or/and after USERNAME/RAWNAME. FortiWeb will combine them together and send it to RADIUS server. So, to send Note: USERNAME and RAWNAME should be exactly as is, and in upper case. This option is available only when |
No default. |
Select the Form Based Delegation you have created. See waf site-publish-helper form-based-delegation. |
No default. |
|
Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:
Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
SAN | |
Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username:
Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
UPN | |
Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule. A service principal name uses the following format:
For example, for an Exchange server that belongs to the domain Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
No default. | |
Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients. For details, see waf site-publish-helper keytab_file. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
No default. | |
Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>. This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients. Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
No default. | |
Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain "<prefix-domain_str>". In some environments, the domain controller requires users to log in with the username format Alternatively, enable this option and enter Available only when auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
enable | |
Enter a domain name that FortiWeb adds to the HTTP Available only when prefix-support {enable | disable} is enabled. If auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
No default. | |
Enter the domain suffix of Host: names that will be allowed to share this rule’s authentication sessions, such as .example.com . Include the period ( . ) that precedes the host’s name. |
No default. | |
Enable for single sign-on support. For example, if this website is Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall. If waf site-publish-helper rule is |
disable
|
|
Specify which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about.
Event log messages contain the user name, authentication type, success or failure, and source address (for example, Note: Logging and/or alert email occurs only if it is enabled and configured. For details, see log disk and log alertMail. |
none
|
|
Enable to allow Android clients to access to Microsoft Exchange servers through Exchange ActiveSync protocol. Note: If this is enabled, these are restrictions are put in place:
|
disable
|
|
kerberos-type {krb5 | spnego}
|
Two kinds of authorization mechanisms are available, which are used by
web servers to retrieve the Kerberos tickets. Available only when Authentication Delegation is Kerberos. |
spnego
|
pass-failed-auth {enable | disable}
|
Enable it so that FortiWeb can be configured when Kerberos Constrained Delegation fails. Available only when client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth} is client-cert-auth , and auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation} is |
disable
|
append-custom-header {enable | disable}
|
Enable this option to forward the username to the back-end server in HTTP
header. |
disable
|
custom-header-name <custom-header-name_str>
|
Enter a name for the HTTP header. You can change it to any name as you desire, e.g. X-FWB-Uname,
useraccount. Special characters are not supported. |
X-FWB-Username
|
custom-header-value-format <custom-header-value-format_str>
|
Enter the format for the value, such as aaa-USERNAME-bbb, xxx-USERNAME, or
USERNAME. Special characters are not supported. It must contain "USERNAME" in
the value format. FortiWeb replaces the "USERNAME" with the actual username
when forwarding the HTTP header to the back-end server. |
xxx-USERNAME-XXX
|
pass-failed-auth {enable | disable}
|
This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation. When it is disabled and Kerberos Constrained Delegation fails, 500 and Account Failed Authentication pages will be returned. |
enable
|
cache-tgs-ticket
|
This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation or Kerberos to control whether caching kerberos tgs ticket. When pass-failed-auth {enable | disable} is disabled, this option will also be disabled. |
enable
|
Example
This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com
domain.
config waf site-publish-helper authentication-server-pool
edit "LDAP server pool"
edit 1
set server-type ldap
set ldap-server "LDAP query 1"
end
next
end
config waf site-publish-helper authentication-server-pool
edit "RADIUS server pool"
edit 1
set server-type radius
set ldap-server "RADIUS query 1"
end
next
end
config waf site-publish-helper rule
edit "Outlook"
set published-site "^*\.example\.edu"
set auth-server-pool "LDAP server pool"
set auth-delegation http-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/owa"
set alert-type fail
set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff
next
edit "Sharepoint"
set published-site ^*\\.example\\.edu
set req-type regular
set auth-server-pool "RADIUS server pool"
set auth-delegation http-basic
set sso-support enable
set sso-domain ".example.edu"
set path "/sharepoint"
set alert-type fail
next
end
config waf site-publish-helper policy
edit "example_com_apps"
config rule
edit 1
set rule-name "Outlook"
next
edit 2
set rule-name "Sharepoint"
next
end
next
end