waf site-publish-helper rule

Use this command to configure access control, authentication, and, optionally, SSO for your web applications.

You may want to configure single sign-on (SSO) and combination access control and authentication (called “site publishing” in the GUI) instead of configuring simple HTTP authentication rules if:

Your users access multiple web applications on your domain
You have defined accounts centrally on an LDAP (such as Microsoft Active Directory) or RADIUS server

SSO provides a benefit over HTTP authentication rules: your users do not need to authenticate each time they access separate web applications in your domain. When FortiWeb receives the first request, it will return (depending on your configuration) an HTML authentication form or HTTP WWW-Authenticate: code to the client.

FortiWeb sends the client’s credentials in a query to the authentication server. Once the client is successfully authenticated, if the web application supports HTTP authentication and you have configured delegation, FortiWeb forwards the credentials to the web application. The server’s response is returned to the client. Until the session expires, subsequent requests from the client to the same or other web applications in the same domain do not require the client to authenticate..

For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, and/or IIS. Your users will only need to authenticate once while using those resources.

Before you configure site publishing, you must first define the queries to your authentication server. For details, see user ldap-user and server-policy custom-application application-policy.

FortiWeb supports the following additional site publishing options:

RADIUS authentication that requires users to provide a secondary password, PIN, or token code in addition to a username and password (two-factor authentication)
RADIUS authentication that allows users to authenticate using their username and RSA SecurID token code only (no password)
Regular Kerberos authentication delegation and Kerberos constrained delegation

For details about these options, see the descriptions of the individual site publishing rule settings and the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf site-publish-helper rule

edit "<site-publish-rule_name>"

set status {enable | disable}

set req-type {plain | regular}

set cookieless {enable | disable}

set cookieless-cache <int>

set saml-server "<server_name>"

set service-principal-name-pool "<pool_name>"

set published-site "<host_fqdn>"

set path "<url_str>"

set client-auth-method {html-form-auth | http-auth | client-cert-auth | saml-auth | ntlm-auth}

set logoff-path-type {plain | regular}

set Published-Server-Logoff-Path "<url_str>"

set cookie-timeout <timeout_int>

set kerberos-type {krb5 | spnego}

set auth-server-pool "<authentication-server-pool_name>"

set auth-delegation {http-basic | kerberos | kerberos-constrained-delegation | radius-constrained-delegation |no-delegation | ntlm | form-based-delegation}

set form-based-delegation <form-based-delegation_name>

set field-name {subject | SAN}

set attribution-name {email | UPN}

set pass-failed-auth {enable | disable}

set delegated-spn "<delegated-spn_str>"

set keytab-file <keytab_file>

set delegator-spn "<delegator-spn_str>"

set prefix-support {enable | disable}

set prefix-domain "<prefix-domain_str>"

set alert-type {all | fail | none | success}

set sso-support {enable | disable}

set sso-domain "<domain_str>"

set cookieless {enable | disable}

set append-custom-header {enable | disable}

set custom-header-name <custom-header-name_str>

set custom-header-value-format <custom-header-value-format_str>

set pass-failed-auth {enable | disable}

set cache-tgs-ticket {enable | disable}

end

Variable	Description	Default
"<site-publish-rule_name>"	Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter: `edit ?`	No default.
status {enable \| disable}	Enable to activate this rule. This can be used to temporarily deactivate access to a single web application without removing it from a site publishing policy.	`enable`
req-type {plain \| regular}	Select whether published-site "<host_fqdn>" contains a literal FQDN (`plain`), or a regular expression designed to match multiple host names or fully qualified domain names (`regular`).	`plain`
cookieless {enable \| disable}	Enable to authenticate clients without using cookies. For cookieless authentication, FortiWeb uses credential cache to avoid frequent requests to the authentication server.	`disable`
cookieless-cache <int>	You can set the cache timeout value for the cookieless authentication. The valid range is 0-86,400. When it's set to 0, FortiWeb will send authentication requests to the authentication server every time the user logs in.	`3600`
saml-server "<server_name>"	Select the SAML server that FortiWeb uses to authenticate clients. Available only when client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth} is set to `saml-auth`.	No default.
service-principal-name-pool "<pool_name>"	Select the SPN pool for the application that clients access using this site publish rule. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos` or `kerberos-constrained-delegation`.	No default.
published-site "<host_fqdn>"	Depending on your selection in req-type {plain \| regular}, enter either: The literal `Host:` name, such as `sharepoint.example.com`, that the HTTP request must contain in order to match the rule. A regular expression, such as `^\.example\.edu`, matching only the host names to which the rule should apply. The maximum length is 256 characters. Note:* Regular expressions beginning with an exclamation point ( `!` ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide: https://docs.fortinet.com/fortiweb/admin-guides	No default.
path "<url_str>"	Enter the URL of the request for the web application, such as `/owa`. It must begin with a forward slash ( / ).	No default.
client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth}	Specify one of the following options: `html-form-auth`—FortiWeb authenticates clients by presenting an HTML web page with an authentication form. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 200 (OK) status code and injects HTML into the response, showing the user the login page. `http-auth`—FortiWeb authenticates clients by replying to the request with a 401 (Unauthorized) status code, and the browser displays a traditional, browser-specific authentication prompt. `client-cert-auth`—FortiWeb validates the HTTP client’s personal certificate using the certificate verifier specified in the associated server policy or server pool configuration. `saml-auth`—FortiWeb uses a SAML server to pass identity information to a service provider via a signed XML document for client authentication. When the authentication cookie expires, FortiWeb replies to the first request without a valid authentication cookie with a 301 (Moved Temporarily) status code, forcing the browser to direct to the authentication page. `ntlm-auth`—FortiWeb uses a NTLM server for client authentication. FortiWeb replies to the first request from the client with a 401 (Unauthorized) status code, and the browser displays a traditional, browser-specific authentication prompt. If waf site-publish-helper rule is `enable`, only `http_auth` is allowed here.	`html-form-auth`
logoff-path-type {plain \| regular}	Specify whether `Published-Server-Logoff-Path` contains a literal URL (`plain`), or a regular expression designed to match multiple URLs (`regular`).
Published-Server-Logoff-Path "<url_str>"	This setting appears only if client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth} is `html-form-auth`. Depending on the value of `logoff-path-type`, enter one of the following values: The literal URL of the request that a client sends to log out of the application (for example, `/owa/auth/logoff.aspx` . A regular expression that matches the request that a client sends to log out of the application. Ensure that the value is a sub-path of the `path` value. For example, if `path` is `/owa`, `/owa/auth/logoff.aspx` is a valid value. When a client logs out of the web application, FortiWeb redirects the client to its authentication dialog. Note:Regular expressions beginning with an exclamation point ( `!` ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide: https://docs.fortinet.com/fortiweb/admin-guides	No default.
cookie-timeout <timeout_int>	Specify the length of time (in minutes) that passes before the cookie that the site publish rule adds expires and the client must re-authenticate. The valid range is 0–216,000. To disable the limit, enter `0`. If waf site-publish-helper rule is `enable`, this must be `0`. If you enter a value of `0`, the browser only deletes the cookie when the user closes all browser windows.	0
auth-server-pool "<authentication-server-pool_name>"	Enter the name of the pool of servers that FortiWeb uses to authenticate clients. For details, see waf site-publish-helper authentication-server-pool.	No default.
auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation}	Specify one of the following options: http-basic—Use HTTP `Authorization:` headers with Base64 encoding to forward the client’s credentials to the web application. Typically, you should select this option if the web application supports HTTP protocol-based authentication. Available only if client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth} is `html-form-auth` or `http-auth`. kerberos—After it authenticates the client via the HTTP form or HTTP basic method, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP `Authorization:` header of the client request with Base64 encoding. Available only if `client-auth-method` is `html-form-auth` or `http-auth`. kerberos-constrained-delegation—After it authenticates the client’s certificate, FortiWeb obtains a Kerberos service ticket for the specified web application on behalf of the client. It adds the ticket to the HTTP `Authorization:` header of the client request with Base64 encoding. Available only if `client-auth-method` is `client-cert-auth`. `radius-constrained-delegation`——After it authenticates the client’s certificate, FortiWeb sends a RADIUS access-request to the RADIUS server, using the RFC822 name (email address) of the certificate’s Subject Alternative Name. For some applications a prefix should be added to the mail address sent to the RADIUS server (example: “app1/forename.surname@org.com”). Use `field-name` to define the format of the extracted user name. Available only if `client-auth-method` is `client-cert-auth`. no-delegation—FortiWeb does not send the client’s credentials to the web application. Select this option when the web application has no authentication of its own or uses HTML form-based authentication. Note: If the web application uses HTML form-based authentication, the client is required to authenticate twice: once with FortiWeb and once with the web application’s form. `ntlm`—FortiWeb uses NT LAN Manager (NTLM) for authentication delegation. This is a challenge/response authentication protocol that FortiWeb uses to verify the identify of clients attempting to connect to the server(s). Note: If the `POST` method request triggers NTLM authentication, the request body cannot exceed 100M. `form-based-delegation`—FortiWeb uses Form Based Delegation to forward the client’s credentials to the server. Available only when `client-auth-method` is `html-form-auth`. If waf site-publish-helper rule is `enable`, only `no_delegation` or `http-basic` is allowed here. Not available when rsa-securid {enable \| disable} is set to `enable`.	`no-delegation`
field-name	Enter the username format that FortiWeb uses to send the user email address to the RADIUS server for authorization. For example, let's say the email address of the user account is example@abc.com. If the format is USERNAME, FortiWeb will send `example` to RADIUS server. If the format is RAWNAME, FortiWeb will send `example@abc.com` to RADIUS server. You can add any letter before or/and after USERNAME/RAWNAME. FortiWeb will combine them together and send it to RADIUS server. So, to send `app1/example@abc.com`, you can enter either `app1/USERNAME@abc.com` or `app1/RAWNAME`. Note: USERNAME and RAWNAME should be exactly as is, and in upper case. This option is available only when `auth-delegation` is `radius-constrained-delegation`.	No default.
form-based-delegation <form-based-delegation_name>	Select the Form Based Delegation you have created. See waf site-publish-helper form-based-delegation.	No default.
field-name {subject \| SAN}	Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username: `subject`—The email address value in the certificate’s Subject information. For attribution-name {email \| UPN}, select `email`. `SAN`—The certificate’s subjectAltName (Subject Alternative Name or SAN) and either the User Principal Name (UPN) or the email address value in the certificate’s Subject information. For `attribution-name`, enter `UPN` or `email`. In certificates issued in a Windows environment, the certificate’s SAN and UPN contain the username. For example: `username@domain` Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos-constrained-delegation`.	SAN
attribution-name {email \| UPN}	Specify one of the following options to specify the certificate information that FortiWeb uses to determines the client username: `email`—The email address value in the certificate’s Subject information. For field-name {subject \| SAN}, enter `subject` or `SAN`. `UPN`—The User Principal Name (UPN) value. For `field-name`, enter `SAN`. Note: Because the email value can be an alias rather than the real DC (domain controller) domain, the most reliable method for determining the username is SAN and UPN. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos-constrained-delegation`.	UPN
delegated-spn "<delegated-spn_str>"	Specify the Service Principal Name (SPN) for the web application that clients access using this site publish rule. A service principal name uses the following format: `<service_type >/<instance_name>:<port_number>/` `<service_name>` For example, for an Exchange server that belongs to the domain `dc1.com` and has the hostname `USER-U3LOJFPLH1`, the SPN is `http/USER-U3LOJFPLH1.dc1.com@DC1.COM`. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos` or `kerberos-constrained-delegation`.	No default.
keytab-file <keytab_file>	Specify the keytab file configuration for the AD user that FortiWeb uses to obtain Kerberos service tickets for clients. For details, see waf site-publish-helper keytab_file. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos-constrained-delegation`.	No default.
delegator-spn "<delegator-spn_str>"	Specify the Service Principal Name (SPN) that you used to generate the keytab specified by keytab-file <keytab_file>. This is the SPN of the AD user that FortiWeb uses to obtain a Kerberos service tickets for clients. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos-constrained-delegation`.	No default.
prefix-support {enable \| disable}	Enable to allow users in environments that require users to log in using both a domain and username to log in with just a username. Also specify prefix-domain "<prefix-domain_str>". In some environments, the domain controller requires users to log in with the username format `domain\username`. For example, if the domain is `example.com` and the username is `user1`, the user enters `EXAMPLE\user1`. Alternatively, enable this option and enter `EXAMPLE` for prefix-domain "<prefix-domain_str>". The user enters `user1` for the username value and FortiWeb automatically adds `EXAMPLE\` to the HTTP `Authorization:` header before it forwards it to the web application. Available only when auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `http-basic` or `kerberos`.	enable
prefix-domain "<prefix-domain_str>"	Enter a domain name that FortiWeb adds to the HTTP `Authorization:` header before it forwards it to the web application. Available only when prefix-support {enable \| disable} is enabled. If auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos`, ensure that the string is the full domain name (for example, `example.com`).	No default.
sso-domain "<domain_str>"	Enter the domain suffix of `Host:` names that will be allowed to share this rule’s authentication sessions, such as `.example.com`. Include the period ( `.` ) that precedes the host’s name.	No default.
sso-support {enable \| disable}	Enable for single sign-on support. For example, if this website is `www1.example.com` and the SSO domain is `.example.com`, once a client has authenticated with that site, it can access `www2.example.com` without authenticating a second time. Site publishing SSO sessions exist on FortiWeb only; they are not synchronized to the authentication and/or accounting server, and therefore SSO is not shared with non-web applications. For SSO with other protocols, consult the documentation for your FortiGate or other firewall. If waf site-publish-helper rule is `enable`, this must be `disable`.	`disable`
alert-type {all \| fail \| none \| success}	Specify which site publishing-related authentication events the FortiWeb appliance will log and/or send an alert email about. `all` `fail` `success` `none` Event log messages contain the user name, authentication type, success or failure, and source address (for example, `User jdoe [Site Publish] login successful from 172.0.2.5`) when an end-user successfully authenticates. A similar message is recorded if the authentication fails (for example, `User hackers [Site Publish] login failed from 172.0.2.5`). Note: Logging and/or alert email occurs only if it is enabled and configured. For details, see log disk and log alertMail.	`none`
cookieless {enable \| disable}	Enable to allow Android clients to access to Microsoft Exchange servers through Exchange ActiveSync protocol. Note: If this is enabled, these are restrictions are put in place: Only `http_auth` is allowed for client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth}. sso-support {enable \| disable} must be `disable`. cookie-timeout <timeout_int> must be `0`. Only `no_delegation`, `http-basic` or `kerberos` is allowed for auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation}.	`disable`
`kerberos-type {krb5 \| spnego}`	Two kinds of authorization mechanisms are available, which are used by web servers to retrieve the Kerberos tickets. Available only when Authentication Delegation is Kerberos.	`spnego`
`pass-failed-auth {enable \| disable}`	Enable it so that FortiWeb can be configured when Kerberos Constrained Delegation fails. Available only when client-auth-method {html-form-auth \| http-auth \| client-cert-auth \| saml-auth \| ntlm-auth} is `client-cert-auth`, and auth-delegation {http-basic \| kerberos \| kerberos-constrained-delegation \| radius-constrained-delegation \|no-delegation \| ntlm \| form-based-delegation} is `kerberos-constrained-delegation`.	`disable`
`append-custom-header {enable \| disable}`	Enable this option to forward the username to the back-end server in HTTP header.	`disable`
`custom-header-name <custom-header-name_str>`	Enter a name for the HTTP header. You can change it to any name as you desire, e.g. X-FortiWeb-Uname, useraccount. Special characters are not supported.	`X-FortiWeb-Username`
`custom-header-value-format <custom-header-value-format_str>`	Enter the format for the value, such as aaa-USERNAME-bbb, xxx-USERNAME, or USERNAME. Special characters are not supported. It must contain "USERNAME" in the value format. FortiWeb replaces the "USERNAME" with the actual username when forwarding the HTTP header to the back-end server.	`xxx-USERNAME-XXX`
`pass-failed-auth {enable \| disable}`	This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation. When it is disabled and Kerberos Constrained Delegation fails, 500 and Account Failed Authentication pages will be returned.	`enable`
`cache-tgs-ticket {enable \| disable}`	This option is enabled automatically when the Authentication Delegation is Kerberos Constrained Delegation or Kerberos to control whether caching kerberos tgs ticket. When pass-failed-auth {enable \| disable} is disabled, this option will also be disabled.	`enable`

Example

This example configures a site publisher with SSO for both Outlook and Sharepoint on the example.com domain.

config waf site-publish-helper authentication-server-pool

edit "LDAP server pool"

edit 1

set server-type ldap

set ldap-server "LDAP query 1"

end

config waf site-publish-helper authentication-server-pool

edit "RADIUS server pool"

edit 1

set server-type radius

set ldap-server "RADIUS query 1"

end

config waf site-publish-helper rule

edit "Outlook"

set published-site "^*\.example\.edu"

set auth-server-pool "LDAP server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/owa"

set alert-type fail

set Published-Server-Logoff-Path /owa/auth/logoff.aspx?Cmd=logoff

edit "Sharepoint"

set published-site ^*\\.example\\.edu

set req-type regular

set auth-server-pool "RADIUS server pool"

set auth-delegation http-basic

set sso-support enable

set sso-domain ".example.edu"

set path "/sharepoint"

set alert-type fail

end

config waf site-publish-helper policy

edit "example_com_apps"

config rule

edit 1

set rule-name "Outlook"

edit 2

set rule-name "Sharepoint"

end