Fortinet black logo

Handbook

Using HTTP Basic SSO

Using HTTP Basic SSO

When an application uses a Credentials Management API to prompt for user credentials, you must enter the required information that can be validated either by the operating system or by the web application. You can specify your domain credentials information in either of the following formats:

  • User Principal Name (UPN)
  • Down-Level Logon Name

The UPN format is used to specify an Internet-style name, such as UserName@Example.Fortinet.com. Anatomy of a UPN presents an anatomy of a UPN:

Anatomy of a UPN

Component Comment Example
User name The name of an account JohnDoeII
Separator The at sign (@) @
UPN suffix Also known as the domain name Example.Fortinet.com

The down-level logon name format specifies a domain and a user account in that domain, for example, DOMAIN\UserName. Anatomy of a down-level logon name highlights the components of a down-level logon name:

Anatomy of a down-level logon name

Component Description Example
NetBIOS domain name Domain name Domain
Separator The backslash (\) \
User account name Also known as the login name User name

FortiADC supports HTTP basic SSO when Client Authentication Method is set to be either HTML Form Authentication or HTML Basic Authentication.

For HTTP basic SSO, FortiADC forwards the client’s credentials to the web application via the HTTP “Authorization” header. For example, username/password "user1/fortinet" from a client is added to the HTTP header in the format "Authorization: Basic dXNlcjE6Zm9ydGluZXQ=", and then forwarded to the back-end web application.

You can use either UPN or down-level logon name to log into a web application, and FortiADC adds the domain offload of your logon name for your convenience. Automatically adding the default domain prefix enables you to log in using your user name alone in environments where both user name and domain name are required for the same purpose. This feature comes in handy when you forget your domain name while trying to log into a web application..

Configure HTTP Basic SSO

Use the following steps to configure HTTP basic SSO authentication:

  1. Click User Authentication > Authentication Relay.
  2. Click Create New to open the configuration editor dialog.
  3. Make the desired entries or selections as described in HTTP Basic SSO authentication configuration.
  4. Click Save when done.

HTTP Basic SSO authentication configuration

Settings Guidelines
Name

Specify the name of the authentication relay configuration.

Delegation Type

Select HTTP Basic

Authorization

Select either of the following:

  • HTTP Error 401—If selected, FortiADC relays the authentication credentials only when it encounters an HTTP 401 error from the back-end server.
  • Always—If selected, FortiADC relays the authentication credentials all the time.
Domain Prefix Support

This is a switch to enable or disable the default domain prefix function.

Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1’

When this option is enabled, the user can also successfully log in by only entering

‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

Domain Prefix

The value will be added as the domain prefix when the Domain Prefix Support is enabled (above), and when the user inputs the username without the domain.

Note: The value of this domain prefix MUST be a valid NetBIOS domain name.

Using HTTP Basic SSO

When an application uses a Credentials Management API to prompt for user credentials, you must enter the required information that can be validated either by the operating system or by the web application. You can specify your domain credentials information in either of the following formats:

  • User Principal Name (UPN)
  • Down-Level Logon Name

The UPN format is used to specify an Internet-style name, such as UserName@Example.Fortinet.com. Anatomy of a UPN presents an anatomy of a UPN:

Anatomy of a UPN

Component Comment Example
User name The name of an account JohnDoeII
Separator The at sign (@) @
UPN suffix Also known as the domain name Example.Fortinet.com

The down-level logon name format specifies a domain and a user account in that domain, for example, DOMAIN\UserName. Anatomy of a down-level logon name highlights the components of a down-level logon name:

Anatomy of a down-level logon name

Component Description Example
NetBIOS domain name Domain name Domain
Separator The backslash (\) \
User account name Also known as the login name User name

FortiADC supports HTTP basic SSO when Client Authentication Method is set to be either HTML Form Authentication or HTML Basic Authentication.

For HTTP basic SSO, FortiADC forwards the client’s credentials to the web application via the HTTP “Authorization” header. For example, username/password "user1/fortinet" from a client is added to the HTTP header in the format "Authorization: Basic dXNlcjE6Zm9ydGluZXQ=", and then forwarded to the back-end web application.

You can use either UPN or down-level logon name to log into a web application, and FortiADC adds the domain offload of your logon name for your convenience. Automatically adding the default domain prefix enables you to log in using your user name alone in environments where both user name and domain name are required for the same purpose. This feature comes in handy when you forget your domain name while trying to log into a web application..

Configure HTTP Basic SSO

Use the following steps to configure HTTP basic SSO authentication:

  1. Click User Authentication > Authentication Relay.
  2. Click Create New to open the configuration editor dialog.
  3. Make the desired entries or selections as described in HTTP Basic SSO authentication configuration.
  4. Click Save when done.

HTTP Basic SSO authentication configuration

Settings Guidelines
Name

Specify the name of the authentication relay configuration.

Delegation Type

Select HTTP Basic

Authorization

Select either of the following:

  • HTTP Error 401—If selected, FortiADC relays the authentication credentials only when it encounters an HTTP 401 error from the back-end server.
  • Always—If selected, FortiADC relays the authentication credentials all the time.
Domain Prefix Support

This is a switch to enable or disable the default domain prefix function.

Sometimes the domain controller requires the user to log in with the user name format "domain\username" such as ‘KFOR\user1’

When this option is enabled, the user can also successfully log in by only entering

‘user1’ because FortiADC is able to automatically add the prefix ‘KFOR\’and then send ‘KFOR\user1’to the server.

Domain Prefix

The value will be added as the domain prefix when the Domain Prefix Support is enabled (above), and when the user inputs the username without the domain.

Note: The value of this domain prefix MUST be a valid NetBIOS domain name.