Fortinet Single Sign-On
Fortinet Single Sign-On (FSSO) is a set of methods to transparently authenticate users to FortiGate devices. This means that FortiAuthenticator is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:
- Users can authenticate through a web portal and a set of embeddable widgets.
- Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
- Users authenticating against Active Directory can be automatically authenticated.
- RADIUS Accounting packets can be used to trigger an FSSO authentication.
- Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.
|This section describes FSSO only. FSSO authentication methods do not require accounting proxy configuration.|
FortiAuthenticator must be configured to collect the relevant user logon data. After this basic configuration is complete, the various methods of collecting the log in information can be set up as needed.
Domain controller polling
When FortiAuthenticator runs for the first time, it will poll the domain controller (DC) logs backwards until either the end of the log file or the logon timeout setting, whichever is reached first.
When FortiAuthenticator is rebooted, the memory cache is written to the disk, then re-read at startup, retaining the previous state. Windows DC polling restarts on boot, then searches backwards in the DC log files until it reaches either the log that matches the last known serial number found in the login cache file, the log that is older than the last recorded read time, or the end of the log file, whichever is reached first.
The currently logged in FSSO users list is cached in memory and periodically written to disk. In an active-passive HA cluster, this file is synchronized to the slave device.
Windows management instrumentation polling
FortiAuthenticator supports Windows Management Instrumentation (WMI) polling to detect workstation log off. This validates the currently logged on user for an IP address that has been discovered by the DC polling detection method.
Remote WMI access requires that the related ports are opened in the Windows firewall, and access to a domain account that belongs to the domain admin group.
To open ports in the Windows firewall in Windows 7, run
gpedit.msc, go to Computer configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile, go to Allow remote admin exception, then enable remote admin exception and, if necessary, configure an IP subnet/range.